"scott.stark(a)jboss.org" wrote : We just need to support the introduction of static roles. Where authentication is done to obtain a Subject, a post authentication interceptor can be added to optionally associated deployment level roles + mappings. This interceptor would have to be in between the authentication and authorization interceptors. | | In the web container, the construction of the JBossGenericPrincipal roles needs to consult the deployment metadata. | That made perfect sense. Thanks Scott. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018057#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...