I had a discussion with Scott on this. The invocation object creators should not be dealing with the security aspects. I will need to establish the security aspects via an interceptor after the container. For the client side, people should not be doing any direct SecurityAssociation stuff. JAAS is ok. The security project should really be providing a client SPI for clients to use. JAAS etc should be an internal detail of the SPI. GSS/SASL type of framework is where we intend to go towards that will provide pluggable aspects semantics for security. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041485#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...