I reviewed Sohil's post and did review the Tomcat Authenticator and I can now see what the hurdles are in regard to circumventing the Tomcat Valve. Portal extends the JBoss security which extends the Tomcat security scheme although I think it is still possible to setup a portlet with just portal authorization would get pretty ugly. So rewriting the Tomcat Authenticator and applying as a custom servlet would be the easier route. Not sure what that will be but if anyone has done this I and Indy would appreciate it if you would share some code. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4075563#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...