No, because the dependency on a particular implementation of the security aspect is not deployment level metadata. The deployment specifies the security domain and j2ee permissions/roles. Its a server configuration that says the security aspect is using jacc and the associated deployer introduces the metadata for the components that implement jacc. That is not to say in the future we might have directives that control the deployment processing, but we should not be overloading the legacy descriptors with new aspects. The security configuration aspect should be another layer independent of jboss-app.xml, jboss.xml, etc. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992123#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...