I am saying that there should be an implementation of the SubjectSecurityManager interface just like the JaasSecurityManager. This will implement the method isValid(Principal,Object cred). So you will be given an userid and password. Now you can internally call the jaas framework(where you can get the expected password from ldap,db wherever). This is the right approach. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047888#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...