Sohil, The reason I need to use my own security realm is because this realm is shared by more than one application and JBoss Portal is just one of the applications deployed in JBoss that uses this shared realm. The way I've implemented this - * There is a shared security realm (and possibly, more than 1 at some point) used by multiple applications. * I also have a use case for bypassing security (trusted application scenario, etc.), so I can't rely on container managed security and j_security_check as it would ALWAYS challenge the user and I don't want that in certain cases. * So, I moved to using my own Servlet and have that do something like this: UsernamePasswordHandler handler = new UsernamePasswordHandler(username, | password); | LoginContext context = new LoginContext("SecurityRealmName", handler); | context.login(); * This works for my application but it doesn't for JBoss Portal though the authentication succeeds. * Enabling trace logging, I can tell that the principals are not being set and hence, the JBoss Portal authorization fails. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4071642#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...