This lack of a guarantee is definitely troubling. My authenticate method is fairly exotic I suppose. It actually sends a web service message to an external web service that wraps authentication functionality. Essentially, if the web service returns true, the user is authenticated. However, the web service, as it should, locks you out after three failed attempts. If the user logs in incorrectly once, and the authenticate method is called twice (or perhaps an indeterminate amount of times) by Seam, then the user has at best one more shot at getting it right. That is bad. Why is it that the number of authenticate calls is undefined? As others have asked, what are the workarounds? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4101136#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...