I'm using a custom login module that throws a javax.security.auth.login.FailedLoginException when the user typed an invalid password but throws a javax.security.auth.login.CredentialExpiredException when asking the user to change the password. Is it possible to find out which one has been thrown from the form-error-page? Looking at the sources, I couldn't find a solution yet. As far as I can perceive, all subclasses of LoginException get caught away in the method org.jboss.security.plugins.JaasSecurityManager.authenticate(). Is that correct behaviour? I'm currently using JBoss 2.4.6 (+ Tomcat 4.0.3) but could migrate to 3.x.y if that would help.