The security API provides page-level security - even though the component model is secure people still like to be able to secure their views for completeness. This is totally optional and if page/view security is not a concern there is no requirement to use it. On the last point, there is a security system for EJB3 however it is lacking in a number of areas. A rule-based security API will provide an innovative new solution to a problem that has been traditionally complex and difficult to implement a solution for. Integration points will exist for those who still wish to work with JAAS-based container security, however I'm of the opinion that very few situations will require this. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3994545#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...