Are you using a java client ? How is this done ? anonymous wrote : And the same user was accessing an ejb from another subsystem Point is, if you using a java client then Authentication is per login. Which means , you login from your java client, access the secured ejb, do your work & log out. If you call a unsecured subsystem, then login has to happen before access is granted to the secured resource. Hope this explains View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4174091#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...