"ataylor" wrote : That would be exploitable since a rogue client could just send (guess) someone else's user id. Is that different from how the createconnectionrequest works now. | Yes. Creat connection request takes a user id, *and* a password. The password is hard to guess. If you authenticate and then allow the same user id to be used in subsequent operations without a password, then that's exploitable, since authentication is already done by that point. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127328#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...