I was trying to get you to do some research so you understand your situation better and then you could see what you were doing wrong. In any case... Your problem is that ClientLoginModule only passes security data to JBoss invocation within the current thread. However, Tomcat uses thread pools to handle requests. So one request might work fine, but the other would not. When Tomcat is embedded in JBoss, a valve is added to pipeline that ensures the security data is present on each request thread. If you want to use Tomcat outside of JBoss, you need to make sure that this valve is used. Also, since Tomcat is not using JBossSecurityMgrRealm (or its newer relative) the security data does not get flushed in JBoss when HttpSession is invalidated. Does this help? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3965248#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...