Now my second question. My apologies that this is more out of my own ignorance of JBoss and Security than anything specific to your security API but I am trying to make the best decision I can upfront for security in a little web application project that I am starting on the side, both to solve an IT problem and to learn more about JBossAS,Ejb3, and Seam. So, I hope you can shed some light on the issue for me. I would really appreciate the input. I have successfully implemented JAAS security of my Seam web app, following several steps posted throughout the forums. It entails a LoginModule and JAAS security domain and a FORM configuration in the web.xml file. Then after the authentication occurs a @Factory method is called that populates the Seam context with my actual User object (from the Seam/EJB3 EntityManager) by retrieving the Principal subject out of the facesContext object. So, that is all good, however... the issues with this are: Using the LoginModule requires (potentially) two hits to the database, or a partitioning of my user and authentication data across different sources. For example, JAAS login via the UserRolesLoginModule from user.properties file, then a lookup of user data in EJB3 EntityManager to populate the Seam context. (In a way, I the partitioning attractive because it keeps the authentication elements out of my application data, where it is not necessary.) Second, the security is configured in the web.xml at the url level rather than in the Beans themselves. So to ensure security I have to right these regex to process the URL and/or be very careful where I deploy my xhtml files to properly secure them. This is what I find particularly distasteful! The solution you're developing seems to streamline this process in a very nice way for Seam components. I am wondering how does this solution relate to JAAS? For instance, I know (or think I know) that with JAAS security I can secure my EJBs from remote clients, if I choose to setup remote interfaces for them in the future - which is a likely possibility. Can the two live side-by-side? The Seam security for the web app and the JAAS security for the EJBs. Is this a reasonable approach? Or, am I way off base in tackling this problem? Thanks in advance for any recommendations on solving this issue. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3986557#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...