anonymous wrote : Good point. When I think about it, I don't really see what's wrong with having the username/password on the ServerConnectionEndpoint. After all they're just attributes, as long as the security logic itself is not there but in the interceptor then that should be ok IMHO. Can you clarify! I'm not sure i follow, the interceptor has no access to the ServerConnectionEndpoint. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127346#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...