instead of just a Subject representing the security context, we should have a security context that contains a Subject, trust domain info, authorization info/pointers, etc to allow better integratin/reuse of authorization aspects. There is a need for an unified Security Context that holds both the authentication and authorization aspects together. I would like to get ideas on this from the community. We already have SecurityAssociation acting as a central security floater (that takes care of the subject/runasidentity etc). Where would this Security Context reside? In my experiment, I tried a SC that was fitted inside the SA in a threadlocal, but ran into thread safety issues. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3966261#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...