We were able to finally workaround this issue without resorting to turning off all authentication caching in 4.2.2GA. First I flush the authentication cache for the user who needs their roles refreshed. http://wiki.jboss.org/wiki/Wiki.jsp?page=CachingLoginCredentials Then use the new WebAuthentication class that Anil added (see: http://wiki.jboss.org/wiki/Wiki.jsp?page=WebAuthentication) to logout the user and programmatically log them right back in. Anil, do you see any drawbacks to this approach? Hope this helps! -Marc View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133626#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...