OK, having some more time ;-). I think I misunderstood your question: you are still at the web level of security configuration, but I was much deeper in the security config ;-). I think for the web layer, this is not possible. The only way I can imagine is that you call the authentication yourself using this: http://www.jboss.org/community/wiki/WebAuthentication If the certificate login attempt fails, you might perform a user/password login. Or you could try to find out how to extend JBoss to use multiple auth methods. For the JBoss specific config of the multiple login modules, here is a helpful link: http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.... See the sample for an application-policy named "todo". Hope this helps Wolfgang View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4258201#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...