I've implemented my authenticator component as per the seam docs (section 12.3.2) and have come across a security flaw that I thought people should know about or maybe point out what I've done wrong. I have 2 user roles, 'admin' and 'user' and use these to determine which pages to show. If I login as admin and then go directly to the login page (without logging out) and login as a normal 'user' then I get the 'admin' role as well as the ordinary 'user' role. Clearly the Identity instance is not getting cleared down anywhere, maybe this should be added to the example or have I missed something out? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4034559#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...