Or you can take the user type password and ran it through one way encryption (e.g. md5) and compare that hash with what is stored in the database. It is probably safer. One caveat: If your user forgot their password, the password has to be reset and then send to them. After they got in, they can still change the password to something they can remember. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041120#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...