hi, gavin, my reason is: in my app an user is not allowed to login repeatedly.... my idea is, everytime by login, app will check an application scop name list to see if the user name is already there or not....and when user session times out , event triggered authenticator.logout() is supposed to delete the user name from the list.... maybe it is very stupid way, can you give me some advices? Lots of thanks in advance! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4054077#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...