I have been thinking about the run-as scenarios. It will not be difficult to define the various semantics of this - in-vm or an explicit trust association (via transport, saml assertion or custom). One implementation issue I have is how will the client proxy pick up the caller security context that includes any deployment level trust settings without using some kind of a threadlocal stack (one level will be sufficient), just like the current SecurityAssociation stacks. This is really important for inter-vm calls. Some kind of an injection semantics will suffice, but I am not aware of any such setup within JBoss. Any possible ideas here? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3996170#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...