on playing around I would say this is happening: 1. Page A had a include to a menu.xhtml which uses the #{s:hasRole('abc') and if you look at the source for this it tries to log you in 2. On JSF page processing it must be processing this when in the rendered attribute and then again when the action command is executed. Hence you get two calls on the authenticate in the same page processing cycle however one of them has the password set and the second call doesn't as it gets reset in the postAuthenticate call on the Identity class from the first pass through. Make sure you don't have a EL reference to hasRole during your login sequence, it really confuses things! A trap for young players Cheers Troy View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4078277#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...