BTW, for the purposes of this discussion I'm assuming that we just need to agree that there is such a thing as a PEP or equivalent in the components that require hooks for identity/authentication. It obviously shouldn't be mandated by this framework how they are implemented by those components/projects only what they need to do in order to conform. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4187772#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...