Dear gang, This was an interesting hunt for me as I have not used client certs before. I think you have two options. 1.) Follow JBossSX Subject usage package in your custom login module and add a java.security.acl.Group with name "CallerPrincipal" to the authenticated Subject's principal set. In that group, add your custom Principal class. 2.) Have your custom principal extend org.jboss.security.CertificatePrincipal and set this as the "certificatePrincipal" attribute in Tomcat's server.xml file for JBossSecurityMgrRealm config. if you need more details or if you have problems, let us know. cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3961544#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...