Yes. | | Creat connection request takes a user id, *and* a password. The password is hard to guess. | | If you authenticate and then allow the same user id to be used in subsequent operations without a password, then that's exploitable, since authentication is already done by that point. of course! anonymous wrote : Instead you could maintain a map of packet target id to user id in the server side filter and use th | at. Ok, so adding and removing the users from the map on creating a connection and closing a connection is fine. If the server closes the connection via the connection manager on client fail, the interceptor wouldn't get called and the user would remain in the map. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127340#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...