There is no standard schema for the database login server. As an example you can look at what it done for messaging - it uses a database login module and stores users and roles in the database. The db login module is made to be very generic so that you can use almost any schema to configure login, which is handy is you are already storing user info in the database. I guess I fail to see what using Portal to do you security would buy you. The only thing it provides above the database login module is an access control mechanism which is applied to portals, pages and portlet instances. And it has some gotchas when it comes to defining access control. I think that if your access control is already defined in your web.xml, then the login module is all that you need. I do have a resource that goes into some detail on JBoss AS security (even for the Portal), but it is not free. I can provide a link if you like. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4235759#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...