Unfortunately...I don't think there "has" to be a way, that is the problem. The servlet spec does not require it. If you use one of Tomcat's authentication methods -- basic, form, etc. -- the credentials carry through very nicely and it is all wonderful. JBoss provides a way from Tomcat -> EJB layer but not vice-versa. I am using AOP security and after the complexity of getting that running right, I'm very pleased. I think this will do everything needed, one can protect any function with it. You will need a JaasLoginFilter or equivalent for the web layer, plus stuffing username/password into session. If you absolutely must do it with Tomcat, realize it's a Tomcat issue -- a custom Valve or Realm might work. But I think that would be extremely fragile with respect to upgrades. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013922#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...