Hi Henry, I vaguely remember seeing the same problem in WAS6. WebSphere documentation says: A username and password must be specified in the callback handler. Custom classes that are added to the Subject on the client side should get propagated to the server automatically whenever security attribute propagation is enabled. You can set the password to null if you want to use identity assertion without a password. (http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/co...) So when either a null or an empty string password is supplied to the WAS login module, it takes it as an implicit sign that you want to do identity assertion instead of authentication, and therefore succeeds as long as the user id is valid. As a workaround, I have seen people write their own login module that simply rejects any null or empty password. Then they chain this login module with the native WebSphere login module, so the latter can check credentials where a password is supplied. This is just a workaround however. Again I am not a WAS expert and you should probably contact one for further help. Hope this helps. Tihomir On 8/22/11 8:01 PM, hpham1067 wrote: