After a lot of time spent on this, the issue seems to be Tomcat (or arguably the Servlet specification) more than JBoss. A variant on the JassLoginFilter in the How-To works fine for accessing JBoss resources. Also as mentioned in the FAQ, #21. But there seems to be no straightforward way to log in to the Tomcat container programmatically, it is necessary to use web.xml and j_security_check etc. From what I can see online I'm not alone in my desire to find another way. It is very nice that WebLogic and Sun provide convenience classes for this purpose. I can see though that doing this is arguably outside the scope of the application server. At this point, I'm just going to use EJB/POJO security as provided by JBoss, and ignore things like Struts role-based security. Maybe the servlet spec will have this someday. :-) View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012142#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...