I need to make some changed to the design as the fixes for JBWS-1907 and JBWS-652 have made some changes to the schema so the configuration for this task needs to be reviewed to make sure it compliments the previous changes. The changes for those two Jira issues added a new 'authenticate' element to the WS-Security configuration to allow a user to define which incoming token should be used for authentication. For the Jira issue I am working on I would like to add a new element 'authorize' under the 'requires' element, this will be used to indicate that authorization is required, as authentication is a pre-requisite of authorization this will also be the trigger to switch on authentication. A new operation 'AuthorizeOperation' will be added to JBossWS and this will be called last if the 'authorize' element is present. The purpose of this operation will be to take whatever is set on the 'SecurityAssociation' and perform the authentication and authorization using the approach shown by Anil. The configuration would look as follows: - | <config> | <requires> | <authorize> | </unchecked> | </authorize> | </requires> | </config> | This first example has an 'unchecked' element, this means no roles will be checked but authentication must succeed. | <config> | <requires> | <authorize> | <requiredRoles> | <role>friend</role> | <role>family</role> | </requiredRoles> | </authorize> | </requires> | </config> | In this configuration the authentication will proceed and then the principal will be checked for membership in the friend or family roles. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4178251#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...