Hi I've got big problem. There is the system on which I do work, it uses NTLM to autheticate the user. There is special authenticator - the same like NtlmHttpFilter from Jcifs, but not a servlet - a special class (which is derived from AuthenticationBase from tomcat jars) packaged as jar together with login module, which I use in my app. Login module is used to authorise the user - retrieves roles from database. When user enteres the app url in the browser it is automatically logged in when she/he is logged in the domain. But when not - the browser shows the window to log in. I need in my app the second way to authenticate and authorise the user - login and password should be matched with these from db. I wrote a special jsp and servlet to do that. I also wrote loginModule to log user from db. But how can I do authorisation - so that user roles are retrieved correctly? Application uses ejb3 and user principal must be in the sessioncontext. Is that possible? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4220098#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...