We think we have a solution. But not sure why exactly it works. We are still using Seam 1.2.1GA. A litle background. Our architecture is a typicaly n-tier one (why we adopted this is model? See here http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4058248). JSF(Facelets)--uses FORM objects--Action class--uses DTO--Service layer--uses Domain objects to persist. We use Seam security for both authentication and authorization. Usually we have the rules in security.drl and @Restrict at method level at the service layer. However we did have @Restrict("#{identity.loggedIn}") at the FORM Class level to ensure that the user is re-directed to the login page when the conversation timesout. After adding a few more debug stmts to Identity and SecurityInterceptor class (where the NullPointerException occurs) what we noticed was, when the NullPointerException occurs the expression that is being evaluated is "identity.loggedIn" and the interceptor target was always a FORM object. On a hunch we removed "(a)Restrict("#{identity.loggedIn}")" from the FORM and added "required-login=true" in pages.xml (which should have been done in the first place). Now when we re ran our concurrency test, the exception went away. So the question is ... - How does "(a)Restrict("#{identity.loggedIn}")" at a Class level in a FORM object cause the NPE when there are concurrent users? - Why does this not occur for a single user? We would love to dig into the Seam code and find answers. Unfortunately we have very limited time on our hands. So I was wondering if there is anybody out there who is familiar with this particular Seam code and can shed some light on this behaviour. Thanks. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4126145#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...