For the web layer, you can header based authentication. You will need some form of an authenticator. Look here for guidance: http://wiki.jboss.org/wiki/Wiki.jsp?page=GenericHeaderBasedAuthentication Once the login module is invoked, then the JBoss security layer takes care of the subject/caching etc. The authenticator should pluck the relevant information from the http request and then pass them to the jaas layer. Now for the ejb layer, I guess you will have to write a new interceptor and replace the security interceptor in the container configuration in conf/standardjboss.xml or write your own container config in jboss.xml in ejb jar. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3999768#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...