RAP is running in the same JBoss and the access is restricted through: <security-constraint> | <web-resource-collection> | <web-resource-name>myapplication</web-resource-name> | <url-pattern>/test/*</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>*</role-name> | </auth-constraint> | </security-constraint> The RAP part work's fine. It seems I've found a solution to my problem: http://msikora.typepad.com/michael_sikora_on_java_ee/2009/03/converting-t... I need to test this on a server so I can access from different client computers. For now, the authentication works. The SessionContext.getCallerPrincipal().getUsername() returns what I put in. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4263172#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...