We should be using a better api than the SecurityAssociation to start with. Anil would have to comment on whether the SecurityAssociation should still be backwards compatible, but a JAAS login is the guaranteed supported api. I did raise an issue about the ejb3 client security interceptor not creating a valid SecurityContext from the information passed in by one of the client jaas login modules. Also, we discussed dropping the ejb3 facade and just introducing a secured remote proxy to reduce the dependencies an admin client has to have. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4242260#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...