I don't know specifically about your LoginModule, but to get the logged-in Subject onto the SecurityAssocation stack we need to have two login modules, one is our own custom one, and the other is the JBoss ClientLoginModule. It is the ClientLoginModule that pushes the Subject onto the SecurityAssociation stack upon commit(), and pops on logout() and abort(). Note - make sure that you set restore-login-identity to true for the ClientLoginModule otherwise you get strange behaviour upon cache timeout. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041209#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...