Well you could also secure /* instead of auth/* in the jboss-server.war/WEB-INF/web.xml file View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3991552#3991552 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3991552