Integrated with the AS we receive principal/credential from the invocation layer, which then internally delegates to the security framework. It's basically JBossWS doing a callback to either the servlet or ejb tier. For the ESB with it's own invocation layer (you setup your own transport) it doesn't seem to be defined yet. So yes, I think this addresses a general problem across different transport types and not just SOAP/Http in particular. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4120510#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...