Not sure if I understand exactly your problem but I have a LoginModule access a secured EJB. I used RunAsLoginModule as an example. The problem is that JBoss has a stack containing principals and credentials. When a login module is called this stack is empty so if your LoginModule tries to acces a EJB the security intercepter tries to re-login and you end up in an infinite loop. At the beinging of you login() method you need to push the role that is defined in your jboss.xml. This way when the security intecrept is applied it will find the correct role and let the access through. http://docs.jboss.org/jbossas/javadoc/4.0.5/security/org/jboss/security/a... --kevin View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3989554#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...