I’ve been working on replacing Geronimo 2.1.4’s server-security-config plugin’s example security with our own security plugin. We need single sign on for our application which also means the same sign on process has to work with the Geronimo admin console. We need to be able to use custom realms and custom login modules in our server-security-config plugin replacement that may change depending on the environment we deploy to. I’ve run into two limitations so far that I’ve found documented online. One is that unless I want to re-deploy other plugins that use the ‘geronimo-admin’ security realm, than our custom security realm must be named ‘geronimo-admin’ as well. The other is that I ran into http://issues.apache.org/jira/browse/GERONIMO-4603, forcing me to creating a dummy properties-login gbean in order for the tomcat components to start up.  I’ve created alias’ for my plugin over the server-security-config plugin in ‘artifact-aliases.properties’ file and I’ve also disabled the server-security-config plugin and added my plugin as a loaded module in the ‘config.xml’. Unfortunately, I still cannot log into the Geronimo console using my custom security realm and login module. Geronimo has no problem starting with the current configuration and I can even login using my custom login module. Everything seems happy as far as the login process is concerned when I step through the code, but instead of seeing the Geronimo console I get a tomcat error page stating ‘Access to the specified resource () has been forbidden’.  The logs are completely clean as well as the console output. My only idea is that my admin users also need to be members of a specifically named Geronimo admin group (make my admin groups name exactly match the one setup in the default security plugin)? I have not tested this hypothesis out yet, because I have my own admin group that is used by our application that I would like to re-use as the Geronimo console’s admin group. Any other thoughts?