I am actually struggling with this issue in 4.0.5GA. What is interesting is that the wiki article for using custom principals doesn't say that the custom principal will be used as the caller principal if you simply supply the class name via the module-option. I have stepped through a login session using UserRolesLoginModule with the principalClass option set, and I see that the createIdentity() calls create Principals of the custom type. What is interesting is that no where a custom principal type get assigned to a group named CallerPrincipal like the login module example in the wiki article does. I created a login module much like the code example in the wiki, and it worked as I expected - I call request.getUserPrincipal().getClass() in a jsp and it gives me the custom principal class name. Why would you allow customization of the principal class (via the module option), but not use a principal of that type for the caller principal? I can't tell if I am looking at a bug or if I am just misunderstanding the intent of the option. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4114473#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...