I think you need to double check the roles that the user is being associated with, if you have enabled TRACE logging for org.jboss.security you should see something similar to the following in the server.log after the authentication process has completed: - 2008-07-24 21:35:08,768 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: | Principal: darranl(a)JBOSS.ORG | Principal: Roles(members:Trader,Users,Banker,ipausers) | Principal: CallerPrincipal(members:darranl@JBOSS.ORG) | , sc=org.jboss.security.SecurityAssociation$SubjectContext@c05c2{principal=A1C423689601B6D6CC7D7682CBFB0525,subject=17368622} | If you are using the negotiation toolkit this requires the user to have the 'Users' role. Also as you are using the UsersRolesLoginModule as the second login module in the chain verify that the principal name does match the values you are using in the roles properties file, this should be the first principal in the list - in the example above this is 'darranl(a)jboss.org'. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4167926#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...