OK, what you need then is a way to hook up the access control info in your web.xml with some authentication mechanism. For that, you need a login module. You can read up about it in the docs, the security chater, probably starting with this [url][http://www.jboss.org/file-access/default/members/jbossas/freezone/do...] Essentailly, you need to do two things. First, you need to setup an application-policy entry in server/xx/conf/login-config.xml. This entry describes how authentication will take place. That file has several examples. Then you need to create a WEB-INF/jboss-web.xml file in your web app and identify the security domain that you set up in login-config.xml. Here is a post that appears to have all of the pieces, using a database to store the authentication data: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=154350 View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4235706#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...