I am saying is that the login modules in JBoss should not be further tainted with sasl semantics just the way they have been done with authorization semantics. The login modules are supposed to just do authentication and establishment of the subject. The sasl enabled implementation of the SubjectSecurityManager(or AuthenticationManager) can still delegate to the JAAS framework underneath. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047694#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...