As I look into this more, look at the source code for 2.6, the wiki link you supplied, etc. I really am beginning to think that in some ways, you're losing your way with the security layer of JBoss Portal. All I want to do is customize the login for the dang thing for my environment. Instead, I find suggestions of JACC, and the promise of a large amount of volatility in the part of the portal related to authentication/authorization either with JAAS or JACC (and let's not forget that there's really no good documentation for customizing security now in any of the releases - download one and see if you can figure out from the docs how to get started with customizing security) The wiki link you supplied earlier suggests that you are attempting to create a first class framework for authorization as part of developing point releases of JBoss Portal; furthermore, it suggests that you expect to have to create several versions of the security framework in the path to whatever you're trying to reach - the first version will be based on JACC...what's the next version going to be based on? Are corporate customers really clamoring for such a massive overhaul in the security layer in a point release of the portal? We're customers - all we want is the portal/portlet functionality and the ability to customize security similar to what was available in 2.0.X versions of the portal. We like the page model, themes, the overall ease of developing/deploying portlets, etc. We also like how easy it has been in the past to customize security. We like the 2.6 DR1 release a lot - what we don't like is the fact that the security integration point is a moving target. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3996119#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...