First SWAG: Input to the rules need only be the results of login attempts, an object something like this based on the requirements you've provided: public class LoginAttempt { public final String userId; public final String source; public final boolean successful; } Requirement 1 is pretty simple. You can use a sliding time window for that. Requirement 2 is a but more complex. I assume it's also time limited, even though that's not stated. (Or at least limited to the last N login attempts.) The definition of "varies only slightly" will be interesting. You can use string distance inside an aggregation, taking one login attempt as a "prototype" then aggregating all other recent login attempts that are withing a given radius of the prototype. Requirement 3 may not be time limited, but much more than the others if it's over the lifetime of a license. This is another use of aggregate. Just aggregate a Set of login sources for a user's attempts and check if it's size is greater than 1. About your issues: 1) Do you mean a singleton rules session, tracking all user logins? If so, yes, that's the approach I'd take. 2) The rule actions should call some external service to report user shenanigans. You could store a reference to this service as a global variable. (Or inject it from an IOC framework like Spring, if you're into that sort of thing. :) ) --- On Thu, 6/10/10, Earnie Dyke <earniedyke(a)yahoo.com&gt; wrote:

Earnie, You may want to be careful with Singletons inside the JEE engine. You may want to think about a stateless session and a static reference to a serialized KnowledgeBase in an object store (file, database, thread, etc.) available for reload. best wishes, Andrew On Jun 10, 2010, at 11:04 AM, Earnie Dyke wrote: