JBoss Portal relies on the JACC framework for authorization. It is true that this has been removed from the documentation as it is an implementation detail. Since 2.4 we have developed an abstraction on top of JACC which hides the usage of that layer (because the layer API simply sucks, specifically the configuration part). We can work on providing documentation on the security abstraction we have however with the garantee that this framework will not change for the 2.x versions (i.e 2.4, 2.6 maybe 2.8) (JBoss Portal 3.x will work in non Java EE environement, i.e servlet container that does not provide this API implementation). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3996211#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...