The JBossGenericPrincipal instance constructed and cached by JBossWebRealm.authenticate() creates a copy of Subject caller principal, roles, password. Therefore any modifications to the subject during the user's session and not propagated to the JBossGenericPrincipal. It would be preferable if the data returned by JBossGenericPrincipal came directly from the Subject object itself.