I think the use case is slightly different. The way I enabled the HTTP basic auth is based on the reference doc by editing the components.xml file: | <web:authentication-filter url-pattern="*.seam" auth-type="basic" realm="My App"/> | All pages are protected already with the url-pattern attribute and there is no additional changes to the pages.xml file or annotations to the class, such as "restricted". I swapped in your changes to the application and tested again, and it is still broken. I see what is missing from your testing. In the components.xml file, I specified: | <security:identity authenticate-method="#{myAuthenticator.authenticate}" /> | So the "muAuthenticator.authenticate() should be invoked when you validate the username/password. But with your fix, it flagged the indentity component as logged in without invoking my authentication method. What this mean is that my authentication logics is not used at all, and the user can enter any random string as username/password to get in the protected area. The only thing different from what I described before is that Seam accepts any username / password and doesn't repeatedly prompt the browser for the username / password. Another thing worth mentioning is that the hasRole() may never get called as my app does not use the "role" to authorize access yet. Did I make myself clear? Please specify a "authenticate-method" and see if it is triggered in your test. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4125625#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...