Hi Stefan, anonymous wrote : We could use a default provider (specified in the WS-T configuration file) but I don't think this is a good idea because a default provider could cover a potential client-side error. In other words, the client app could be expecting an exception to be thrown if the user forgets to specify the token type or target endpoint but instead gets a 'default' token from the STS. This makes perfect sense. Thanks for clearing this up. anonymous wrote : Actually, the STS respects AppliesTo precedence, so no fix is needed. Great :) Thanks, /Daniel View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4257520#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...