pcarrollnf suggested copying the security policy, and naming the copy BYPASSED-SECURITY. This works at the point where I was getting an error, but it's in a complex chain of events and towards the end the security principal suddenly becomes 'guest', like this is the next fallback position when it happens again. So I've gone back to using 4.2.1 for now - too bad, since I wanted to use 5.0's webservices. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4223848#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...