You cannot affect the web container security context via programatic login from the web component level. If you want to interact with the security context you need to integrate with the web container using either a tomcat valve, or a custom authenticator. In general it does not make sense for you do be able to do a jaas login in the context of a web app call. Session ids needs to be correlated, and authentication mechanisms like CLIENT-CERT and DIGEST require that the container interact with the caller side. http://wiki.jboss.org/wiki/Wiki.jsp?page=CustomizingSecurityUsingValves http://wiki.jboss.org/wiki/Wiki.jsp?page=ExtendedFormAuthenticator http://wiki.jboss.org/wiki/Wiki.jsp?page=ExternalizeTomcatAuthenticators View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992441#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...