Hi Remy, I just wanted to pick your brain on the following: Web Authorization: Previously, the JBoss Authorization stack was run by default for access control unless the user configured not to do so. In JBoss AS7.1, we have this disabled until the user configures the following in jboss-web.xml <use-jboss-authorization>true</use-jboss-authorization> Web Audit: I had a brief chat with JFClere last week and decided on the following: JBossWebRealm will send audit events to the audit framework unless the following setting is in jboss-web.xml <disable-audit>true</disable-audit> Audit is the feature that can add miniscule overhead. So if you want to turn it off the audit by default, you have to change JBossWebRealm to have: boolean disableAudit = true rather than the current "false". In that case, we will require the users to configure jboss-web.xml if they want audit for that particular webapp. In think the authorization piece does not add any overhead. I just want to check with you on the audit part. Regards, Anil