The easiest, and correct, way to do what you want to do is write your own login module, hence my reason for pointing you to a prior discussion of this topic (if you look carefully at that topic, that user also had encrypted password in the database and thus could not use the DatabaseServerLoginModule to perform the login and had to write his own login module). The DatabaseServerLoginModule should provide you with a reasonable template (or you could subclass it) within which you can do your own work to validate the user and return the collection of roles. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4050292#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...