Hi, My login-config.xml is like this. Code: | <?xml version='1.0'?> | <!DOCTYPE policy PUBLIC | "-//JBoss//DTD JBOSS Security Config 3.0//EN" | "http://www.jboss.org/j2ee/dtd/security_config.dtd"> | <policy> | <!-- For the JCR CMS --> | <application-policy name="cms"> | <authentication> | <login-module code="org.apache.jackrabbit.core.security.SimpleLoginModule" flag="required"/> | </authentication> | </application-policy> | | <application-policy name="portal"> | <authentication> | <login-module code="com.tsky.customlogin.CustomLoginModule" flag="required"> | <module-option name="unauthenticatedIdentity">guest</module-option> | <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> | <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> | <module-option name="additionalRole">Authenticated</module-option> | </login-module> | </authentication> | </application-policy> | </policy> | My requirement is to avoid concurrent login. Means user should not login from more than one session at a time. Once he is in logged in state, we should not allow him to login in another session. So i am overriding LoginModule and writing some logic to avoid. But the problem is, If the user is looged in, It is not even going to Login module. It is directly taking from cache and allowing him to access the application. So i have removed password-stacking module option. Even then, It is behaving as same. I have posted this in Jboss-user forum but got no reply. Can anybody halp he out in this? thanks in advance... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3993718#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...