"tom.baeyens(a)jboss.com" wrote : | the idea is that in the jbpm code, we should just check for jbpm type of permissions. e.g. org.jbpm.permission.TokenPermission or org.jbpm.permission.TaskPermission (to be created). | in your application this should be CommandPermission or something like that. you could put the command inside of the CommandPermission. but still there is something that needs to be cleared out first. how authentication is passed into authorization. i see 2 different situations. in case of a webapp or a swing app, the user is already authenticated when a command is created. in case of client server execution of commands. a client sends a command to the server for execution. in that case, there must be some client identification and credentials passed along with the command. in case of ejb, that is handled by ejb spec, i think. so the authentication context is passed allong with the method invocation over the wire. probably something similar will exist in the web service specifications in case we want to expose the command execution service via web services. concluding, the most important is that the authentication/authorization solution that we work out should cover both scenarios: web/swing-apps and server side execution of commands send by a remote client. regards, tom. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018473#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...