How authentication fits into javaee was the subject of jsr196 (Java Authentication SPI for Containers). It was not integrated into javaee 5 though. Your never going to have a standard properties file, or xml file for this info. There is an extension to the JAAS Configuration object that will have provider specific stores. All of our containers need to move to supporting this type of security aspect. The getX(username, password) of api is broken as it exposes security as an api with a non-extensible representation of identity and proof of identity rather than an aspect that can be configured for the operation environment. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4009591#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...