Thanks Shane - I'll have to try the latest of course, but when you say there's no guarantee how many times the authenticate method will be called, yet both issues have been resolved, what does that mean for those of us who write their own "login" method and configure it in components.xml using the "authenticate-method" attribute? Can we be assured that it will not execute multiple times outside the programmer's control? This double execution on a single failed login attempt is one of the big issues, isn't it? Thanks again, Shane. - Joe View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4102228#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...