One issue I just ran into is the duplication of the org.jboss.security.{AnybodyPrincipal,AnybodyPrincipal,SimplePrincipal} in the jboss-metadata project. These are Principal implementations that should not be defined by the metadata layer. They really belong in the security project/security aspect project (where they currently are). Removing these means breaking the legacy org.jboss.metadata.BeanMetaData.getMethodPermissions which returns a Set of Principals. The only way around that is to add a PrincipalFactory api to the metadata project, or add such an interface to the jboss-security-spi and have jboss-metadata depend on that. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4091612#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...