We already handle JAAS login as part of the security on the service, which is the level at which we are enforcing security credentials. There is no need for a separate action. What should happen, though, is that this functionality should be moved out to a LoginModule and that these should really be part of the identity framework (wither directly or as an extension) so that they can be used in other areas. At present we are providing the LoginModule as part of our codebase and this does not seem right. Kev View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261890#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...