For the purposes of securing the Remoting 3 HTTP transport, I intend to rely on HTTPS and standard HTTP authentication mechanisms to provide the authentication and encryption for the transport. Another possibility would be to use a SASL layer nested inside of the HTTP request body. However, because the user-provided message headers would not be encrypted if this option were followed, I opted against it. In addition, it makes more sense to me to reuse existing mechanisms rather than invent new ones. Any comments? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4121871#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...