to integrate with the JAAS security realm, your best bet/cleanest solution would be to write your own Tomcat Authenticator (which is actually a form of Tomcat Valve) Authenticators are actually pretty simple in tomcat and best source of "How To" is the tomcat source code and see how the existing Authenticators like Form, basic, etc are written. You should be able to write your own looking at that. On the otherhand, I don't know what your authentication requirements are but most of the times LoginModules are able to create application state just fine. You have access to the HttpServletRequest, HttpServletResponse, and HttpSession inside your LoginModule, so what other objects do you need to populate/setup the proper LoginContext for your application? Thanks View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4071414#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...