Thanks for your reply, Can you tell me how I can have the container invoke the customized login module? you can see all my config files in the previous thread. Does the container invoke a hidden servlet to handle the j_security_check action from the form? where i should place the customized login module? under \jboss_home\server\default\deploy? how many places need to be configured? jboss-web.xml, web.xml,login-config.xml, anywhere else? <?xml version="1.0"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> <web-app> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>SecurePages</web-resource-name> Security constraint for resources in the secure directory <url-pattern>/secure/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> only let the system user login <role-name>admin</role-name> </auth-constraint> <user-data-constraint> SSL not required <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/LoginError.html</form-error-page> </form-login-config> </login-config> <security-role> The Secure ROLE <role-name>admin</role-name> </security-role> </web-app> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4099475#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...