Unless you configured everything well what you are missing is that each user must belong to "Authenticated" role to be authorized to access portal resources. The mechanism in portal is that in IdentityLoginModule after user credentials are confirmed membership in role "Authenticated" is injected. You will find it in configuration: <application-policy name="portal"> | <authentication> | <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required"> | <module-option name="unauthenticatedIdentity">guest</module-option> | <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> | <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> | <module-option name="additionalRole">Authenticated</module-option> | <module-option name="password-stacking">useFirstPass</module-option> | </login-module> | </authentication> | </application-policy> Look in portal-server.war web.xml - servlets have: <security-role-ref> | <role-name>Authenticated</role-name> | <role-link>Authenticated</role-link> | </security-role-ref> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3987427#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...