"tfennelly" wrote : So that was some basic configuration. How about adding security etc? Yes, security has to be included. It needs to cover authentication, transport guarantees, security constraints and integrate into the security work done by Daniel. "tfennelly" wrote : 1. Add a strict config model inside the ESB config file whereby we only allow certain configurations and we manually map those appropriately to the web.xml going into the generated .war sub deployment. This allows us to remain in control of what we support and is the preferred method. "tfennelly" wrote : 2. We allow the user to specify a suplemental web.xml that gets merged into the generated web.xml. The user would define the "extra" configs as per the web.xml schema. We could allow them specify this inline in the esb config, or externally. We might want to restrict the config types we allow in this e.g. you can't define any servlet/filter configs etc?? This is likely to lead to problems unless the restrictions are so strict as to end up with the equivalent of the first suggestion. Adding explicit support, especially under our control, is much easier than disabling parts. "tfennelly" wrote : The existing http gateway also supports configuration of allowed http methods. Do we need to bring this along? Yes, we need to retain support for the following verbs, DELETE, HEAD, GET, POST and PUT. We also need to provide automatic support for OPTIONS so that someone can determine what capabilities are present. Only TRACE, as currently implemented, is not required. Kev View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4238130#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...