AFAICT, introduction of a custom authenticator , will not make the call-out to a realm mandatory, because there is no requirement on the custom authenticator to call the realm interface. It can do its job inhouse. But this will lead to a lot of duplication in authenticator code. It certainly does not make sense for the realm interface to have scaled down information plucked from the request object. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962934#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...