Hi, once more. If I got it right - during the weekend - I'm twisting to mechanisms that cannot be combined. As described above I use a server-side authentication/authorisation, to secure the access to my EJB's I have to use client side, which means creating a LoginContext with CallbackHandler etc. If I got it right, this means, that ANY person can access my application, only the communication with the AS is restricted via JaasSecurityManager. ??? Bye View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4057266#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...