I found that the security valve is never setting the subject in the session attribute - is that intended or should line 95 of the AbstractSecurityValve.java read
request.getRequest().getSession().setAttribute(PortalReservedParameters.SESS ION_KEY_SUBJECT, subject); instead of the current (J2-M1) request.getRequest().setAttribute(PortalReservedParameters.SESSION_KEY_SUBJE CT, subject); Cheers, Tom