I have tried this with SP1 & with 4.0.5GA as suggested and still encountered the same problem. Just to clarify: Before we make the remote call, we can see the original user: org.jboss.security.SecurityAssociation.pushSubjectContext,subject=Subject: Principal:AdminPrincipal:Roles(members:Admin),sc=org.jboss.security.SecurityAssociation$SubjectContext@1dadaa{principal=Admin,subject=7645779} org.jboss.security.SecurityAssociation.getSubject,sc=org.jboss.security.SecurityAssociation$SubjectContext@1dadaa{principal=Admin,subject=7645779} And then when we make the remote call, we can see the remote user being setup: org.jboss.security.SecurityAssociation.setCredential,sc=org.jboss.security.SecurityAssociation$SubjectContext@1bb7285{principal=null,subject=null} org.jboss.security.SecurityAssociation.setPrincipal,p=remoteAdmin,server=true org.jboss.security.SecurityAssociation.setPrincipal,sc=org.jboss.security.SecurityAssociation$SubjectContext@1bb7285{principal=remoteAdmin,subject=null} org.jboss.security.SecurityAssociation.getPrincipal,principal=remoteAdmin And then we see the original security logs I posted before. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3993731#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...