Are you saying that a SASL authentication mechanism should be implemented on top of JAAS rather than as part of the JBoss Security? I don't think that will work as the SASL mechanism requires the password in order to perform some of the data hashing. The JAAS API does not allow the retrieval of user credentials (only submission). Mike. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047798#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...