"sunnygrass" wrote : Finally i fixed the problem. | | We have two things to do to avoid the NPE. | 1. if the caller does not call LoginContext.login, then the NPE will be throwed. so we must call LoginContext.login(see JAAS doc) | 2. we must include org.jboss.security.ClientLoginModule in one jaas.config file(as in -Djava.security.auth.login.config=jaas.config). | | BTW, @SecurityDomain is not necessary. | | Thank you jaikiran. | | Sunnygrass In Jboss 4.2.x getCallerPrincipal returns "anonymous" Principal in case when caller didn't call LoginContext.login and @SecurityDomain is used. I think here regression from version 4.2.x. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4238536#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...