Not sure this question is in scope of the forum. Two things you need to describe in your web.xml: 1) Security constraint mapped to some url pattern and requires some role. 2) Role mapped to security domain. So you need to configure your web.xml as following: Two different security constraints mapped each to its url pattern e.g. <url-pattern>/*_cert_requred_*</url-pattern> requires some role: "CertProtected" <url-pattern>/*_passwd_requred_*</url-pattern> requires some role: "PasswordProtected" Best way to do this - separate your app to subcontexts: <url-pattern>/cert_requred/*</url-pattern> <url-pattern>/passwd_requred/*</url-pattern> Then you need to map each role to its JAAS domain. If you are mapping some security constraints to one url pattern (/*)... The result is depending on implementation. In best case you will got working the last constraint. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4221346#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...