There are a few articles about using JAAS authentication and propagating the authenticated subject to EJBs. Sometime it is also described that in order to keep the client authenticated for the duration of HttpSession, one should keep the credentials (username + password) in the session so that every request can use LoginContext.login again. This is one example: http://publicobject.com/2005/04/logging-in-to-web-app-using-jaas-on.html I'm curious whether there is a better way that doesn't force the container to validate the user's credentials each and every request. For example, I'd like to be able to just store the Subject object in the session, and somehow reattach this subject object to the LoginContext in each request. I tried using JBoss's SecurityAssociation's static method called setSubject, which seemed to work but it actually didn't cause this subject object to propagate in EJB calls. So, is there any suggestions? Thanks, Amit Kasher