Thanks jaikiran for your gratuitous effort. "jaikiran" wrote : | You have the "Code" button which you can use while posting to wrap those contents in a code block to avoid the mess. | Thanks, I'll use the code button from now on. "jaikiran" wrote : | Now you have secured this servlet using BASIC authentication and a custom login module. Apart from the webservice part this appears to be an attempt to secure the servlet. It should not matter that the servlet is being used by webservice. Am i right? | This is my understanding as well, although I've never secured a servlet before, (or an EJB)... I rarely even lock my car... --so I could be way off here, but I think in large part, this gets to the essence of my question, --can I even use declarative security to secure my web service endpoint in the form of a web-method through JBossWS... "jaikiran" wrote : | If yes, then when you type in the URL: http://localhost:8080/CentricityPractice/CPWebService do you see the pop up asking for user name and password(since you are using BASIC authentication)? | Thanks, I thought so too, but no sale. Referencing that url from a browser simply lists the exposed web service(s), no log in. What I would prefer is to not have a login-config element in my web.xml at all, (or however I would otherwise accomplish the following goal). I am in hopes that I can utilize information that the client sends over in the soap header to obtain details for the login to be performed through my custom login module. In other words, I don't want a BASIC login module to "pop up" requesting a login, and neither do I want a FORM login to allow me to configure my own custom login screen. I want the server code to be able to obtain information from the soap message header, to be used in the custom login module, without any user interaction. I put the login-config BASIC block in there as an attempt to see if I could get a reaction out of the login what-so-ever... Alas no. My current login module, although poised to do so, currently doesn't peer into the soap header, but seeks to just "return true" from the login() method. It should not require an actual login in order to just be called, no? "jaikiran" wrote : | Also, have you written any debug log messages in your own custom login module so as to figure out whether the control has been forwarded to it? | Yes, definitely. Every method prints out a lot of exclamation points, and a message saying it has been entered. I have also a breakpoint on the first line of each method in my GEHCLoginModule, and am running the application server in debug mode. Stopping at one of those breakpoints, or finding the exclamation points in my console output, would cause much rejoicing. --No sign of them yet. Continued appreciation. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3985453#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...