Adrian, I think I have fixes for the JCA layer now. I need to test a bit and check it in this week. * We inject a security domain name (this is as before) as well as a SubjectFactory instance into the connection mgr. The SubjectFactory implementation provides the subject to the connection manager. All the internal details such as getting the principal/cred etc are hidden from the jca layer. * I am retaining the setJaasSecurityMgrService(ObjectName) and getJaasSecurityMgrService() methods for backwards compatibility (or should I just remove them?) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4151881#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...