My application consists of 2 EARs. One EAR has the web application and presentation logic. The other EAR consists of secured session EJBs. In the Web App EAR I defined a ServletContextListener that will authenticate itself with the EAR containing the secured EJBs. I am doing this using the ClientLoginModule. The EAR with the secured EJBs contains a SAR that defines a custom login module where I also create a custom Principal. My problem is that when a request comes in from the web application and that thread tries to access the secured EJBs, it fails saying I am unauthorized to do so. Does anyone know how to associate the calling thread with the security context created in the ServletContextListener? During the JAAS authentication, I am storing the Subject returned from the login method. I have tried Subject.doAs but it doesn't work. I am porting my application from WebLogic where it works fine using the Subject.runAs provided by a WebLogic library. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4193853#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...