"wolfc" wrote : I concur, but only partially. | | If we create a EJB3 security spi which is provided by the EJB3 core and implemented by both EJB3 AS 4.2 security int and EJB3 AS 5.0 security int, then we don't have a lot of divergant code. | Configuration of the security int is then done in the EJB3 deployer meta data. Rather than every individual project define a security spi in the AS workspace, why shouldn't the security integration module in the AS workspace have a spi that both the 4 and 5 code base in the AS can leverage? This is the direction. EJB3 will depend on the interfaces defined in the security module of the AS workspace. I brought this issue with Scott and he concurred. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4053039#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...