As you suspected, request.getRemoteUser() is returning null. There is one slight difference that makes me not use BASIC or FORM login; I am plucking the username out of the request header which is passed on to this servlet from a SSO framework. All requests come through this servlet. So, yes, user principle and Subject are being created at every request. So, is there a way I can do a IsUserInRole type check in the jsp's that this servlet dispatches to? On a related note, what enables for this user to be propagated successfully to EJB layer, even though it's not available to the authenticating Servlet itself? Thanks for your help! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3981208#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...