I have an application that employs Form based authentication. Once authenticated, it passes on the role / user information to the EJB container as well. Our EJBs use declarative decurity mechanism specified in the descriptor ejb-jar.xml file. Right now the web container is handling the responsiblity of passing on the context to the EJB Container. If i have to employ a different authenticating mechanism and I DONT want to change my EJB code that checks for the user/role information, how do i go about doing it? Form Authentication must be authenticating the user against supplied user id/ password , looking for the role the user is mapped to and must be placing an object in session that in turn is used while calling the EJBs?. How do i do the same thing using a different authentication mechanism so that i dont have to change any code in the EJBs? thanks.