Hi everybody, I've developed a EJB3.0 Application; now I want to add security using JAAS. The client is a rich Delphi application that comunicates with server via HTTP througth a servelt. This servlet has this login JAAS code: loginContext = new LoginContext("GTSPDB", new MyCallbackHandler(user, password)); | loginContext.login(); where user and password come in the HTTP request. The user authentication works fine but when I call the sessioncontext getCallerPrincipal into the sessionbean and error raises: 12:31:11,304 TRACE [SecurityAssociation] getCallerPrincipal, principal=null | 12:31:11,320 ERROR [STDERR] java.lang.IllegalStateException: No valid security context for the caller identity I've declared the security context in login-config.xml <application-policy name = "GTSPDB"> | <authentication> | <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> | <module-option name="dsJndiName">java:/MySqlHibernate</module-option> | <module-option name="principalsQuery">SELECT password FROM user WHERE name=?</module-option> | <module-option name="rolesQuery">SELECT rolename,'Roles' FROM userrole WHERE userrole.username=?</module-option> | </login-module> | </authentication> | </application-policy> and tables in database are populated with these user and roles data. I've read the "JAAS Howto: README FIRST" but I haven't found solution. Why Principal is not propagated to sessionbean if login works¿? what am I doing wrong¿? am I missing something¿? thanks very much for your help. pedro. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4079089#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...