You understanding is correct. The problem as I see it is that this is really more of a component lifecycle issue rather than a deployer issue. In our old deployment framework deployment and component lifecycle were tightly coupled. Now the deployers are just translating metadata into kernel beans, and the kernel lifecycle/dependency should be triggering things like commiting the PCs before the deployment components are fully started. The associated java.security.Policy object also needs to be refreshed after this. The best way would be to hook in a JaccSetup pojo would be a bean apon which the "container" beans dependend. Maybe this is best done via injection of the bean representing the security domain. I think its just going to take a fair amount of refactoring to properly leverage the mc where approriate. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977395#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...