anonymous wrote : I want to let the user know that they have authenticated but failed authorization and to trying logging in with another username and password that has authorization On detecting a authorization failure, why dont you invalidate the session, so that user credentials are discarded: http://java.sun.com/j2ee/sdk_1.2.1/techdocs/api/javax/servlet/http/HttpSe... However, i am not sure whether this is the right approach to follow. There might even be better approaches. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958122#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...