This shouldn't be too hard, all you should need to do is create a "securityRules" RuleBase object containing your security rules (in application scope), then create an Identity instance which you can use to invoke your unit tests against. There's plenty of useful classes in the org.jboss.seam.mock package for creating the mock scopes that you'll need - use the Lifecycle class to set these up.

I should probably add a section on unit testing to the security chapter of the docs, with some code samples.

Actually we need to add a get/set pair for the RuleBase used by Identity. That would solve the unit testing problem. You should not need contexts in order to test this stuff. JBSEAM-765

Fixed in CVS. So now you can call Identity.instance().setSecurityContext(myWorkingMemory) to test using your own working memory. Read the section on "Creating a security rules file" in the security docs to find out which objects you should populate the working memory with.