You shouldn't call your authenticate method directly, you need to call identity.login() and it will perform a JAAS login which in turn calls your authenticate method. Also, addRole() only adds a role to the list of pre-authenticated roles for the user. It doesn't become a "real" role until authentication is successful, which is why when you call hasRole() inside your authentication method, it returns false (authentication hasn't completed yet!). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4060209#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...