I want to implement a secure web application without to use the web.xml's security constraints. My servlet can be accessed by authenticated and unauthenticated users. When the login is requested, my servlet receives username and password from a html login page, creates a UsernamePasswordHandler and tries to authenticate that user (username) using programmatic login. If login succeeds, the servlet stores the returned Subject to the user's session and continues its execution. For new requests (after login), the servlet gets the Subject from the session and checks the user (new LoginContext is created for each request using the Subject). This works well only for the servlet execution. If the servlet tries to access a protected EJB, the sessionContext.getCallerPrincipal returns null. Is there a way to allows that authenticated user access those protected EJBs?