I was hoping that the functionality worked as described in your second post. That's how I'd like to be remembered. But, it seems that to do that you'll need a second authenticate method on your authenticator component since the password will be unrecoverable from the cookie, and the current authenticate method requires that the password be present. I'm also assuming that the expiry in the hash is acting as the salt value for the hash. I guess I'll need to dive into that code and see if there's a way to make that happen, or just wait on the good people at jboss to add the functionality. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4018047#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...