I think I've found a bug in jboss 3.2.x when using container managed authentication of web apps. I thought I'd post here before submitting a bug to see if anyone has any answers. After logging into a web app with container based "BASIC" authentication, any roles set are visible through request.isUserInRole() in both servlets and jsp pages. If a servlet invokes an operation on a JMX service through the RMI adaptor, the roles are still visible in the servlet. However, if that servlet forwards to a jsp page, all calls to request.isUserInRole() return false. If the servlet makes the same invocation directly through the JMX server, all roles are visible to the .jsp after forwarding. Roles are seen correctly in any later request as long as the servlet does not do an RMI adaptor based invocation. The same app works as expected with 3.0.x with either the 4.0 or 4.1 series of Tomcat. Also, I have the simplest ear file I could come up with to demonstrate the problem if anyone is interested. Has anybody else run across this problem?