The problem was caused by our SecurityMetadataStore that was pushing the new Principal/Credential on the thread local's authentication info stack. I just removed that. All tests pass (including the one that I wrote for the bug). Tim, any particular reason you did the "SecurityActions.pushSubjectContext(principal, passwordChars, subject)" thing for? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4014019#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...