@scap one more thing - I've been thinking about is and think we might want to change the security filter order, so it runs the standard filter first, then Security, then an optional post security filter. This would allow things like auditing, monitoring and request context setup to happen first. It would be a breaking change to the API, but I think it's a much better model. Thoughts - or can anyone think of a case where this would be a bad thing?