I agree - let me explain myself a little better. With this setup, there's effectively one control application that contains a large number of potentially useful URLs. The display sites, generated by the same app, contain a much smaller list of URLs. When a non-control user (who doesn't even know that the control site exists) visits a random URL, ie: "http://theirsite.com/foo", they receive a 404 error. If they visit a URL that on the control site (ie: http://control.com/admin), that will return them an error message saying that they're not logged in - standard security practice. If they visit "http://theirsite.com/admin") though, even though to the app its a legitimate endpoint, I wish to present them with a 404 error since its not known to their URL. One way to do this would be to have a test in the SecurityException (or however Seam security is best implemented) that normally redirects to the login page that consumes the exception and rethrows a page not found exception. That doesn't seem particularly "correct", per se, so I was curious as to whether there was a known, better solution. Its not going to be quite as messy as it sounds, by the way - all of the domains will have the same structure as far as pages existing or not existing, with the exception of the "control" domain. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035377#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...