Hi Yuan, Unfortuneatly I have not attempted acegi, and instead created my own security layer (using JACC and database authetication on some custom user, role, and user_role entities), but I have not been succesful in implimenting hasPriveledge yet! I followed the wiki items on JACC container security. THANKS TO THOSE GUYS. I believe from looking at CVS that Shane is specing out a Seam security layer , using a servlet filter, but this looks very work in progress. I don't know how far they have got or what scope there implementation will be (method level role, or user object level permissions). I hope they look into user object level permissions as this could be done quite elegantly with Entity inheritance. So I imagine if you have any valid learning points it would be useful to the Seam guys. Hope this helps, James View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3960710#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...