Hi PeterJ, ok, thanks - I moved the security-constraint to the portlet-instances.xml. But what can I do to prevent direct access to my war? I cannot set up a security-constraint in my web.xml, because I will be asked for username/password, when I call my app from JBoss Portal. Or is this a "single-sign-on"-issue and I have to configure jboss-web.deployer anyhow to recognize, that I'm already logged on via the portal login? Thank you very much for a tip or hint. Carsten View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4138098#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...