Answers below :- (1) If you want to use JAAS for authentication, YES (2) Passwords are NEVER stored in request. Principal can be got from the request after successful authentication by calling anonymous wrote : request.getPrincipal(). (3)After successful authentication Principal is cached till the expiry of HttpSession. Yes no, need for extra authentication till session expires. (4) Can be used from JSP's and Servlets,. For that matter any web based client is fine this way. Not Swing. You'll need to a typical JAAS login (with CallbackHandlers and config files) for that. No .NET client cannot do a JAAS login. Hope this helps View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4171574#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...