"bdaw" wrote : Forgot to mention this. We aim to be AS agnostic, so for authorization we should investigate and drop any dependency on services that is are portable. How JBoss Security fit in this? I know about Portal's AS agnostic intentions. JBoss Security is just an SPI and an implementation. There is nothing that is AS dependent. It should be geared to run in a MC. It does not even require JMX. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4079681#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...