&quot;shane.bryzak(a)jboss.com&quot; wrote : The authentication should be triggered when calling/accessing a restricted Seam component, doing the chain.doFilter() call. It can't happen in the filter as not all contexts exist at that point in time. My point might not be right as I am not as familiar to the framework as you do. However, I don't think your answer is correct. chain.doFilter() will trigger the AuthenticationFilter logics to challenge the client for entering username / password. Once that information is entered, browser sends it to the server in the HTTP header. Seam then needs to invoke the #{authenticator.authenticate} method to perform the authentication in order to validate the username / password, which is defined in the components.xml file: <security:identity authenticate-method="#{authenticator.authenticate}" /> The current logics only obtains the username / password, but does not invoke the authenticate method to actually validate this information. If you look at the processDigestAuth() method of the AuthenticationFilter class, you will see it actually invokes the authenticate() method: | private void authenticate(HttpServletRequest request, final String username) | throws ServletException, IOException | { | new ContextualHttpServletRequest(request) | { | @Override | public void process() throws ServletException, IOException, LoginException | { | Identity identity = Identity.instance(); | identity.setUsername(username); | identity.authenticate(); | } | }.run(); | } | As the code shows, this invocation is done in the ContextualHttpServletRequest environment, which creates necessary context objects. processBasicAuth() needs to do the same thing. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4125339#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...