I found one solution, though I'm not sure if this is the right solution. I used a different constructor for the GenericPrincipal that included a list of roles, which at the moment I just populated with a hardcoded role name, and it worked. I thought obtaining the role 'mapping' was a function of the login module, not the Authenticator? Apparently the Authenticator needs to include the roles in the user principal object. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4109987#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...