You actually bring up a good point about not wanting to use JAAS. Although I recommend JAAS for obvious benefits (standard, identity propagation through various layers in the container etc) if some light weigh app wants to do custom login behavior, maybe there might be value in creating a contract very much like the IdentityManager that will let custom login usecases do what they do, but still keep token management inside the valves in the framework. The key is to figure out what the contract between the framework and the custom login behavior will be.... thinking along the lines of what objects need to be created and place in what scope (request,session) etc I will have to think about this one ;) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982558#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...