diff --git a/product/ERP5Wizard/Tool/WizardTool.py b/product/ERP5Wizard/Tool/WizardTool.py
index d35d0573ab9d8b31897f4bf658546eef3512a599..62f16f92eedb7c8eb802cc6ac6a2a6b1cc3c39eb 100644
--- a/product/ERP5Wizard/Tool/WizardTool.py
+++ b/product/ERP5Wizard/Tool/WizardTool.py
@@ -45,6 +45,7 @@ from urlparse import urlparse, urlunparse
 from base64 import encodestring, decodestring
 from urllib import quote, unquote
 from DateTime import DateTime
+from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin
 
 # global (RAM) cookie storage
 cookiejar = cookielib.CookieJar()
@@ -416,19 +417,11 @@ class WizardTool(BaseTool):
     """Updates parameter_dict to include local saved server info settings. """
     global _server_to_preference_ids_map
     for key, value in _server_to_preference_ids_map.items():
-      if key != 'password':
-        parameter_dict[key] = self.getExpressConfigurationPreference(value, None)
-      else:
-        parameter_dict['password'] = ''
+      parameter_dict[key] = self.getExpressConfigurationPreference(value, None)
     ## add local ERP5 instance url
     parameter_dict['erp5_url'] = self.getPortalObject().absolute_url()
     # add user preffered language
     parameter_dict['user_preferred_language'] = getattr(self, 'user_preferred_language', 'en')
-    # add password from cookie
-    __ac_express = self.REQUEST.get('__ac_express', None)
-    if __ac_express is not None: 
-      __ac_express = decodestring(unquote(__ac_express))
-      parameter_dict['password'] = __ac_express
 
   def _updateParameterDictWithFileUpload(self, parameter_dict):
     """Updates parameter_dict to replace file upload with their file content,
@@ -531,7 +524,7 @@ class WizardTool(BaseTool):
   ######################################################
 
   #security.declareProtected(Permissions.ModifyPortalContent, 'login')
-  def login(self, REQUEST):
+  def remoteLogin(self, REQUEST):
     """ Login client and show next form. """
     client_id = None
     user_id = REQUEST.get('field_my_ac_name', None) or self.getExpressConfigurationPreference('preferred_express_user_id')
@@ -570,9 +563,49 @@ class WizardTool(BaseTool):
             %(came_from_method, user_id, response['server_buffer']['message']))
       return 
 
+  def login(self, REQUEST):
+    """ Login client and show next form. """
+    user_id = self.getExpressConfigurationPreference('preferred_express_user_id')
+    password = REQUEST.get('field_my_ac_password', '')
+    if self._isCorrectConfigurationKey(user_id, password):
+      # set encoded __ac_express cookie at client's browser
+      __ac_express = quote(encodestring(password))
+      expires = (DateTime() + 1).toZone('GMT').rfc822()
+      REQUEST.RESPONSE.setCookie('__ac_express',
+                                 __ac_express,
+                                 expires = expires)
+      REQUEST.set('__ac_express', __ac_express)
+      return self.next(REQUEST=REQUEST)
+    else:
+      # incorrect user_id / password
+      REQUEST.set('portal_status_message', self.Base_translateString('Incorrect Configuration Key'))
+      return self.view()
+
+  def _isCorrectConfigurationKey(self, user_id, password):
+    """ Is configuration key correct """
+    uf = self.getPortalObject().acl_users
+    for plugin_name, plugin in uf._getOb('plugins').listPlugins(IAuthenticationPlugin):
+      if plugin.authenticateCredentials({'login':user_id, 
+                                                       'password': password}) is not None:
+        return 1
+    return 0
+
+  def _isUserAllowedAccess(self):
+    """ Can user access locally portal_wizard """
+    password = self.REQUEST.get('__ac_express', None)
+    if password is not None: 
+      user_id = self.getExpressConfigurationPreference('preferred_express_user_id')
+      password = decodestring(unquote(password))
+      return self._isCorrectConfigurationKey(user_id, password)
+    return 0
+
   #security.declareProtected(Permissions.ModifyPortalContent, 'next')
   def next(self, REQUEST):
     """ Validate settings and return a new form to the user.  """
+    # check if user is allowed to access service
+    if not self._isUserAllowedAccess():
+      REQUEST.set('portal_status_message', self.Base_translateString('Incorrect Configuration Key'))
+      return self.view()
     response = self._callRemoteMethod("next")
     if isinstance(response['server_buffer'], dict):
       ## Remote server may request us to save some data.
@@ -595,6 +628,10 @@ class WizardTool(BaseTool):
   #security.declareProtected(Permissions.ModifyPortalContent, 'previous')
   def previous(self, REQUEST):
     """ Display the previous form. """
+    # check if user is allowed to access service
+    if not self._isUserAllowedAccess():
+      REQUEST.set('portal_status_message', self.Base_translateString('Incorrect Configuration Key'))
+      return self.view()
     response = self._callRemoteMethod('previous')
     command = response["command"]
     html = response['data']
@@ -700,8 +737,11 @@ class WizardTool(BaseTool):
   security.declareProtected(Permissions.View, 'getExpressConfigurationPreference')
   def getExpressConfigurationPreference(self, preference_id, default = None):
     """ Get Express configuration preference """
+    _setSuperSecurityManager(self.getPortalObject())
     portal_preferences = getToolByName(self, 'portal_preferences')
-    return portal_preferences.getPreference(preference_id, default)
+    preference_value = portal_preferences.getPreference(preference_id, default)
+    noSecurityManager()
+    return preference_value
 
   security.declareProtected(Permissions.ModifyPortalContent, 'setExpressConfigurationPreference')
   def setExpressConfigurationPreference(self, preference_id, value):