thinking about it i guess you could also write a filter that took your credentials out of the HttpSession (assuming your Action had put them there earlier) and do something like {from JBossSecurityMgrRealm}
Context securityCtx = null; try { InitialContext iniCtx = new InitialContext(); securityCtx = (Context) iniCtx.lookup("java:comp/env/security"); // Get the JBoss security manager from the ENC context SubjectSecurityManager securityMgr = (SubjectSecurityManager) securityCtx.lookup("securityMgr"); principal = new SimplePrincipal(username); char[] passwordChars = null; if (credentials != null) passwordChars = credentials.toCharArray(); if (securityMgr.isValid(principal, passwordChars)) { SecurityAssociationActions.setPrincipalInfo(principal, passwordChars); } } that might work. but im not sure if the filter is called before or after the security Authenticator valve on the web-application ................... View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3842687#3842687 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3842687 ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user