I have a new realm called as JBossWebRealm that unifies the two realms (JBossSecurityMgrRealm and JaccAuthorizationRealm) plus makes the callout to the Authorization Framework for the authorization decisions. A default WebAuthorizationModule (always authorizes because the RealmBase makes the final decision) and a JaccAuthorizationModuleDelegate for the web layer does the jacc decisions. This is on test run with the jacc suite of tests. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957099#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...