Effectively, that is what SPNEGO does. So does NTLM. Neither protocol are as simple as just getting some credentials, and then validating them. The server sends an authorization header. The client responds with a token. That token is validated, wrapped, and sent back to the client. The client returns a final token which can be used to get identifying user attributes. That's why I felt that I needed to take the seemingly strange approach that I took. I'm always interested in hearing about ways to improve what I've done, so please don't stop using a critical eye on this stuff. Thanks! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967345#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...