Hi, you should not use Tomcat methods to handle security but JBoss methods. To do this: 1) Add a file "WEB-INF\jboss-web.xml" to your web project with this content (a security domain is configured, which is something similar to your realm): <?xml version="1.0" encoding="UTF-8"?> | <!DOCTYPE jboss-web PUBLIC | "-//JBoss//DTD Web Application 5.0//EN" | "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd"> | | <jboss-web> | <security-domain>mysecuritydomain</security-domain> | ... | </jboss-web> 2) Configure a login module for this security domain. As your user data seems to be defined in a database, use a "org.jboss.security.auth.spi.DatabaseServerLoginModule": http://www.jboss.org/community/docs/DOC-9511 Hope this is enough to get started. Wolfgang View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4213040#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...