Something else: if I call the method addRole() after id.authenticate() the role is actually added, but when I load the pages where I actually want to check if the user is ADMIN (see first post when i call delete()) the method still returns false. Some additional info: I declared the authenticator method in components.xml as follows: <security:identity authenticate-method="#{login.authenticate}"/> and pages.xml looks like follows: | <pages login-view-id="/auth_login.xhtml"> | ... | <page view-id="/mypage.xhtml" no-conversation-view-id="/auth_login.xhtml" login-required="true"> | ... | </page> | ... | </pages> | I noticed that if I don't call the authenticate() method manually from the login page (see first post) it is never called and any page that I try to render redirects me to the login page. Shouldn't the authenticate method be called automatically? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4059835#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...