Some additional information. Here is the code from the managed bean action method that the Login button calls that creates the LoginContext. I've added debugging code to retrieve the subject from the authentication cache (at least I hope that's what PolicyContext does) and display everything, then I do an isUserInRole call on the role: | LoginContext loginContext = new LoginContext(LOGIN_APP_POLICY, this); | loginContext.login(); | // If there is no exception, login succeeded. | returnString = SUCCESS; | // Remove the password from memory and Faces display. | password = null; | // Put the loginContext object into the user's session. | request.getSession().setAttribute(LOGIN_CONTEXT_ATTR, loginContext); | // TODO debugging code -- get subject from cache? | //Subject subject = loginContext.getSubject(); | Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container"); | | Set<Principal> principals = subject.getPrincipals(); | for (Principal p : principals) { | System.out.println("Principal " + p.getName()); | if (p.getName().equalsIgnoreCase("Roles")) { | Group g = (Group)p; | Enumeration<? extends Principal> roles = g.members(); | while (roles.hasMoreElements()) { | Principal role = roles.nextElement(); | System.out.println("Role " + role.getName()); | | } | } | } | boolean isInRole = request.isUserInRole(DataConstants.COMMUNITY_USER); | if (isInRole) { | System.out.println("User is in role " + DataConstants.COMMUNITY_USER); | } else { | System.out.println("User is not in role " | + DataConstants.COMMUNITY_USER); | } | The output from this follows: | 11:08:47,790 INFO [STDOUT] Principal techteam | 11:08:47,791 INFO [STDOUT] Principal Roles | 11:08:47,791 INFO [STDOUT] Role tair_curator | 11:08:47,791 INFO [STDOUT] Role community_user | 11:08:47,791 INFO [STDOUT] User is not in role community_user | If I'm interpreting this correctly, the cached Subject has the correct role in the Roles group but the isUserInRole() method is not finding it. It may be that the HttpRequest here is outdated, but shouldn't that method go to the cache? What am I not understanding? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4171598#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...