I reply myself for the benefit of the comunity: A workarround that I found is to use two applications: You have to use two applications in the same security realm. In one you put FORM autentification and in the other you put CERT-CLIENT authentication. One application is the one you have developed and the other simply has a index.jsp that redirect to the other. That jsp has to be protected. This way when you try to access the jsp, authentification is done and credentials are put in the session and how the two apps share the same security realm you are logged in the other application. Cheers, --- http://www.joanpujol.cat View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4021744#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...