No, application managed security means an application context specific security aspect. If you want it hard coded in a class file the aspect uses a classloader. Same for a properties file. The point is, there is no reason why application managed security means that the username and password have to be passed to the jca provided connection factory getConnection call. If it is available because some user passed it in, fine, but it is not how server frameworks should be coded. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4009619#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...