I'm writing a custom LoginModule, which raises a few questions: 1. Is it possible to package a custom LoginModule implementation on a per-application basis, or does it only work server-wide? 2. Assuming a server-wide LoginModule, is it possible to have a separate login-congig.xml per application? If so, what is its relationship to the server-wide login-config.xml (i.e. which one overrides that other one in the event of conflicts)? 3. Does a LoginModule implementation automatically have the necessary security clearance to use any restricted session beans (i.e. beans annotated with @RolesAllowed) and/or session bean methods? I ask this because I want my LoginModule implementation to use a stateless session bean to access login data. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3997111#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...