We have to be able to build up dependencies across deployers. If the metadata for the mbean/pojo security layer cannot be done this way, then you need a security metadata deployer that runs after deployment type deployers to merge the security metadata to build the proper instances. The naturual place for this is every container needs a dependency on a SecurityDomain object to gain access to the authentication/authorization interfaces. We need to talk through how this can happen such that the jacc policy configuration object lifecycles tie into the top level deployment starting. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3978185#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...