As I reported in my followup post, I replaced my custom login module entirely with the standard JBoss DatabaseServerLoginModule configured with queries. That works fine and authenticates, but I'm still not seeing the roles being accepted during authorization. The roles are coming back correctly from the database, I checked the spelling and stepped through the DatabseServeLoginModule code to verify that. The role "community_user" is coming from the database query and is put into the SimplePrincipal inside the Subject, and that is the role in the security-constraint in web.xml that is authorized for the myHome.faces file. It still fails to authorize and redisplays the login page. Here is the login-config.xml code: | <authentication> | <!-- A JDBC based LoginModule | LoginModule options: | dsJndiName: The name of the DataSource of the database containing the Principals, Roles tables | principalsQuery: The prepared statement query equivalent to: | "select Password from Principals where PrincipalID=?" | rolesQuery: The prepared statement query equivalent to: | "select Role, RoleGroup from Roles where PrincipalID=?" | --> | <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> | <module-option name="dsJndiName">java:jdbc/ReadOnlyTairTestJTDS</module-option> | <module-option name="principalsQuery">select ltrim(rtrim(password)) from Community where user_name=?</module-option> | <module-option name="rolesQuery"> | SELECT "Role", 'Roles' AS RoleGroup FROM (SELECT c.user_name, 'community_user' AS "Role" FROM Person p JOIN | Community c ON p.community_id = c.community_id UNION SELECT c.user_name, 'tair_curator' AS "Role" FROM Person p | JOIN Community c ON p.community_id = c.community_id WHERE p.is_tair_curator = 'T' UNION SELECT c.user_name, | 'external_curator' AS "Role" FROM Person p JOIN Community c ON p.community_id = c.community_id WHERE | p.is_external_curator = 'T') AS Roles WHERE user_name = ? | </module-option> | </login-module> | </authentication> | </application-policy> | As you can see, the roles are hard-coded strings, which I've verified against the web.xml constraint (see that in the previous post). So, what might be preventing JBoss security management from seeing the Subject? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4171576#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...