anonymous wrote : Is the principal used as identity (ie username) in web-app#2 during BASIC authentication in your database? No, its not - I understand that it tries to find the principal in the database and fails. Unfortunately, its not possible to store users of app#1 and app#2 in the same place - so I have to use different auth schemes. Before I implemented BASIC auth in the app#2, I was getting "isufficient method permissions" (IIRC), because principal was null. This was solved by adding "unauthenticatedIdentity" option in login-config. Mind you, it didn't try to access the DB then. As soon as I added BASIC auth, it started to try to access the DB. So, the question is why is it doing it, when the method is marked as unchecked? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959224#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...