"Toby451" wrote : Maybe a bug? Or is it a requirement to write side-effect free authenticate-methods on rejected logins? Not a bug, there is nothing in the Seam security API which specifies how many times the authenticate method is called. CVS contains events which are raised on failed/succeeded logins (as opposed to authentications). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4107833#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...