Basically, when a user is authenticated on WebApplication A, the only way WebApplication B can tell is through what we call a SAML token that is propagated in the form of a http cookie. Now, if you wish to do authentication in a non-JAAS way still using the LoginProvider, you will have to write the plumbing for creating/processing this SSO SAML token in your web application, without which SSO wont happen between apps. If you use the JAAS module, this token management is automatically provided by the framework so your application does not even know that its part of a SSO Federation. SSO happens automagically. This is done using the SSO valves that you configure in your context.xml found in components/jboss_sso_tomcat5. The valves obviuosly cannot be written to accomodate custom authentication usecases, hence they have to stick to the J2EE authentication standard which is JAAS. I am sure you can look at the code in the valves and replicate it at the application level for your custom login mechanism. Thanks Sohil View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982556#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...