After doing some extra digging this is what I found out. JBossSecurityMgrRealm created a roleMap keyed by principal(SimplePrincipal) . When user only get authenticated bu JBoss, request does not contain principle therefore authenticate method is called in JBossSecurityMgrRealm. Here SimplePrincipal object is created by the passed in user name and then roles lookup by this key. BUT!!! If user get initially authenticated by the web server(apache) then CayoteInvoker that handles request for tomcat sees that user exist in request then creates a CayotePrincipal with in a request. Now the authenticate of JBossSecurityMgrRealm is NOT called. Role look up fails because roles are keyed by SimplePrincipal and look up is done with CayotePrincipal object. I hope what I said makes sense to everyone. But this is causing a problem for us. I am sure someone else ran into this before. How do we get around it? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4118075#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...