Moving my LoginModule to a seperate JAR still does not work. I have one correction. The classcastexception does not occur in the CustomLoginModule. It occurs in a servlet(spring controller) that has access to the httprequest object. The following calls: request.getUserPrincipal().getClass() returns an object of type: org.jboss.security.SimplePrincipal Where as I am expecting my custom class. I have updated login-config as follows: <application-policy name = "xxx-Domain"> <login-module code="xxx.xxx.CustomLoginModule" flag = "required"> <module-option name="principalClassName"> xxx.xxx.CustomPrincipal </module-option> <module-option name="principalClass"> xxx.xxx.CustomPrincipal </module-option> </login-module> </application-policy> I am also using JBoss' WebAuthentication class to have JAAS authentication work with programmatic security. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4185854#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...