Finally i fixed the problem. We have two things to do to avoid the NPE. 1. if the caller does not call LoginContext.login, then the NPE will be throwed. so we must call LoginContext.login(see JAAS doc) 2. we must include org.jboss.security.ClientLoginModule in one jaas.config file(as in -Djava.security.auth.login.config=jaas.config). BTW, @SecurityDomain is not necessary. Thank you jaikiran. Sunnygrass View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4204493#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...