Can I get a couple sets of JSF eyes to take a look at https://issues.jboss.org/browse/SEAMFACES-209 ? I don't think we can claim to provide a solution for securing JSF pages the way things are currently behaving. Silently failing is never (rarely?) a good idea when it comes to security. -C