Hello all, I would be glad to find a solution to the following problem: I do have a client which will do subsequent calls to login and logout to an EJB 3 server. The principal can be relatively complex. There is a "test" called EJB - method, which simply returns the name of the callerPrincipal set in the sessionContext. The following test code works: final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class); client.setSimple("ln=admin,oce=org_A", "passwd"); client.login(); final InitialContext ctxt = new InitialContext(); final AdministrationServiceRemote adminService = (AdministrationServiceRemote) ctxt .lookup("cm3ear/AdministrationService/remote"); System.out.println(adminService.test()); giving the expected output ln=admin,oce=org_A. Now I change the code to final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class); client.setSimple("ln=admin,oce=org_A", "passwd"); client.login(); final InitialContext ctxt = new InitialContext(); final AdministrationServiceRemote adminService = (AdministrationServiceRemote) ctxt .lookup("cm3ear/AdministrationService/remote"); System.out.println(adminService.test()); client.logout(); System.out.println(adminService.test()); Again, I do get the expected behaviour, that is, after the output ln=admin,oce=org_A an EJBAccessException is thrown for the second call into adminService.test(). When I change the code to the following: final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class); client.setSimple("ln=admin,oce=org_A", "passwd"); client.login(); final InitialContext ctxt = new InitialContext(); final AdministrationServiceRemote adminService = (AdministrationServiceRemote) ctxt .lookup("cm3ear/AdministrationService/remote"); System.out.println(adminService.test()); client.logout(); client.setSimple("ln=admin,oce=org_B", "passwd"); client.login(); System.out.println(adminService.test()); I would expect the following output: ln=admin,oce=org_A ln=admin,oce=org_B because I loged in with a different user the second time. After all, the output is ln=admin,oce=org_A ln=admin,oce=org_A, meaning the JBoss caches the user elsewhere. On the server side we can see that the logout method of the configured LoginModule is never called, but only the login method, and this, no matter how often the last test code runs, always exactly two times, namely once for the login name ln=admin,oce=org_A, once for the login name ln=admin,oce=org_B. Nevertheless the second login does not show up in the getCallerPrincipal method. There is a server restart necessary to clear the cache. Is this behaviour a bug or considered to be correct - because a user has already identified itself and it is considered to be a design error, if he must reidentify itself ? Any answers would be appreciated ... View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4215660#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...