Ok, I'll take a look at it when I get a chance. Another workaround is to just fix the parameters for a user via lookup outside of the sasl exchange, or fix them period. This is discussed some in this paper: http://srp.stanford.edu/srp6.ps Encoding the information in the 'password' would also not be that bad. Just make it the base64 representation of the byte[] from an ObjectOutputStream containing the serialized parameters. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4096995#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...