i also removed the comments in the web.xml about the security warning around the gpd deployment servlet. that should be in the documentation, i think. in 3.2.1 it's doing to take to long to fix this as we would have to fork and make a new release of the old designer. so in 3.2.1, i still want an open gpd deployment servlet and a warning is most appropriate in the release notes, i think. then in 3.2.2, i want the GPD to add authentication info to the request that uploads the servlet and the servlet should be secured. then, users can control the authorization by just logging into the webapp and removing the gpd user. this plays out nicely with the users on the login page. cause when people remove the users, then nobody will be allowed to upload a new process definition. btw, it would be good if you could add minimal documentation for the console in the user guide. 2 or 3 pages is already a good start. it could cover deployment and usage. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4054626#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...