Ok, now I am finding out more: it seems like the security check doesn't happen until a secured method is invoked, and if the security check fails, it just throws an exception. This seems ridiculous, but that's what I'm finding in docs like this: http://www.awprofessional.com/articles/article.asp?p=394898&seqNum=2&... Could this possibly be correct? There's no method to just log in, but I have to invoke some method and look for an undocumented exception? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4017476#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...