I just remove all the invokers except for the JVM invoker. I don't see the type of security you mention to be generically useful enough to incorporate it as it would complicate security pretty dramatically. Besides you'd have to store the user/password for the mail listener locally anyway and if anyone has the abillity to deploy an app then they presumably have the abillity to get at that password. I'm not 100% against it if you can demonstrate it in a non-invasive generically useful way...but this seems like a special requirement and I don't see a great deal of non-perception-only security added by it... Maybe I'm wrong...but I don't see it. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3961659#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...