Hello, I'm porting our custom JACC provider to JBoss. For access control I've found that JBoss is using not recommended practice of calling `getPermission' on policy provider. JACC 1.0 final release specification claims that after this call container must call `implies' method on the returned PermissionCollection object. My debug messages proof that this is not the case with JBoss 4.2.3GA. For your reference, this is ``4.8 Checking the Caller for a Permission'' specification paragraph, where someone might read: anonymous wrote : The J2EE 1.4 container calls | java.security.Policy.getPermissions with an argument | ProtectionDomain that was constructed with the principals of the caller. The | container must call the implies method on the returned | PermissionCollection using the permission being checked as argument. If the | PermissionCollection implies the permission being tested, the permission has | been granted to the caller. Otherwise it has not. This technique is supported but | not recommended. Am I doing anything wrong or is it really a non-compliant bit of JBoss JACC implementation? Our JACC provider is written in a way that it requires to have `implies' called on the policy provider. So I written simple facade PermissionCollection which behave like normal permission collection, but delegates it's implies to the policy provider. The problem is, its `implies' is not called. Do you have any idea how to convience JBoss to call either implies on the returned value from getPermission or implies directly on the policy provider? Thanks! Karelanonymous wrote : View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4206710#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...