basically, i tried subclassing UserPasswordLoginModule and this proved fruitless. i eventually just subclassed AbstractServerLoginModule. it seems the fact that identity and the other attributes of AbstractServerLoginModule are private was causing me all sorts of headaches. i would suggest either of the two avenues for the implementations in the org.jboss.security.auth.spi package: 1) either mark the classes as final so that it is apparent to developers that these classes are not designed for subclassing. 2) change the attributes to protected so that subclasses are given proper access to the internal attributes. TIA == stanton View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4214668#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...