No, this isn't a bug. If credentials have been set yet the login() method hasn't been explicitly called, Seam Security may attempt to perform a "quiet" login if any security checks (such as hasRole() or hasPermission()) are invoked. This provision allows for single sign-on etc to authenticate quietly without having to present the user with an unnecessary login form. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4101160#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...