hi, In the commit() of the client login module I add to the subject: subject.getPrincipals().addAll(tempPrincipals); subject.getPublicCredentials().addAll(tempCredentials); where tempCredentials contains the property name-value pairs: c.setProperty("nhs number", nhsNum); c.setProperty("customer id", custId); The passive callback handlers PassiveCallbackHandler has constructor that takes a username and password so its handle() method does not have to prompt the user for input. This information is supplied by a JUnit test or by a jsp which gets the information from a HTML form. There is no peripheral security restrictions. It is the custId that needs to be visible to the custom server login module. At this time the application is deployed on my desktop running a default JBoss server. Hope this helps. Cheers View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958514#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...