Kevin mentioned that there is precedence in using JAAS for login. Not sure where that is. Since the STSAction was just getting a token, I feel that it should be replaced by a generic Security Action that internally does JAAS login. So you can plugin login modules there to get the desired token. Or you can circumvent a call from going further if an user desires. So either a generic SecurityAction (or call it JAASAction) or reuse any JAAS framework that exists around the region where STSAction was supposed to get into play. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261887#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...