It assumes this context: 1.One ejb jar with one X Stateless . 2.Another ejb jar with Y Stateless. 3.The Security Domain is the same for both. Well, the login was made for client with user A. At this moment was performed one method of the X Stateless. In the sequence client perform another method in Y Stateless. The Subject is OK. The client made the logout. Now the client made the login with user B perform the same method in X Stateless. After this it executed the same method in Y Stateless. At this moment the Subject is of user A. I'm using isValid(principal,credential,subject) SecurityAssociation method to retrieve the Subject. In my jboss-service.xml JAAS Security Manager configuration the attribute is DefaultCacheTimeout = 0 and DefaultCacheResolution = 0. What's the problem??? Why the user A Subject still exists in the EJB Container after the first logout. My environment: -OpenSuSE Linux version 10.0 -JDK vesion 1.5.0_06 -JBoss-AS version4.0.4.GA -EJB3 RC9FD+Patch. Thaks a lot. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4038361#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...