diff --git a/pom.xml b/pom.xml
index 867ba13..b2687e9 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,5 +11,6 @@
   <version>1.2-SNAPSHOT</version>
   <packaging>hpi</packaging>
   <name>Security Realm by custom script</name>
+  <description>Supports authentication by exeuting a custom script, to resolve groups for a user, a second script can be defined.</description>
   <url>http://wiki.hudson-ci.org/display/HUDSON/Script+Security+Realm</url>
 </project>
diff --git a/src/main/java/hudson/plugins/script_realm/ScriptSecurityRealm.java b/src/main/java/hudson/plugins/script_realm/ScriptSecurityRealm.java
index dc43f89..8742eff 100644
--- a/src/main/java/hudson/plugins/script_realm/ScriptSecurityRealm.java
+++ b/src/main/java/hudson/plugins/script_realm/ScriptSecurityRealm.java
@@ -26,66 +26,120 @@ package hudson.plugins.script_realm;
 import hudson.Extension;
 import hudson.Launcher.LocalLauncher;
 import hudson.model.Descriptor;
-import hudson.model.TaskListener;
 import hudson.security.AbstractPasswordBasedSecurityRealm;
 import hudson.security.GroupDetails;
 import hudson.security.SecurityRealm;
 import hudson.util.QuotedStringTokenizer;
 import hudson.util.StreamTaskListener;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.io.StringWriter;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.StringTokenizer;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
 import org.acegisecurity.AuthenticationException;
 import org.acegisecurity.AuthenticationServiceException;
 import org.acegisecurity.BadCredentialsException;
 import org.acegisecurity.GrantedAuthority;
+import org.acegisecurity.GrantedAuthorityImpl;
 import org.acegisecurity.userdetails.User;
 import org.acegisecurity.userdetails.UserDetails;
 import org.acegisecurity.userdetails.UsernameNotFoundException;
+import org.apache.commons.io.output.ByteArrayOutputStream;
 import org.apache.commons.io.output.NullOutputStream;
+import org.apache.commons.lang.StringUtils;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.springframework.dao.DataAccessException;
 
-import java.io.IOException;
-import java.io.StringWriter;
-
 /**
  * @author Kohsuke Kawaguchi
  */
 public class ScriptSecurityRealm extends AbstractPasswordBasedSecurityRealm {
-    public final String commandLine;
+	private static final Logger LOGGER = Logger.getLogger(ScriptSecurityRealm.class.getName());
 
-    @DataBoundConstructor
-    public ScriptSecurityRealm(String commandLine) {
-        this.commandLine = commandLine;
-    }
+	public final String commandLine;
+	public final String groupsCommandLine;
+	public final String groupsDelimiter;
 
-    protected UserDetails authenticate(String username, String password) throws AuthenticationException {
-        try {
-            StringWriter out = new StringWriter();
-            LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
-            if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(commandLine)).stdout(new NullOutputStream())
-                    .envs("U="+username,"P="+password).join()!=0)
-                throw new BadCredentialsException(out.toString());
+	@DataBoundConstructor
+	public ScriptSecurityRealm(String commandLine, String groupsCommandLine, String groupsDelimiter) {
+		this.commandLine = commandLine;
+		this.groupsCommandLine = groupsCommandLine;
+		if (StringUtils.isBlank(groupsDelimiter)) {
+			this.groupsDelimiter = ",";
+		} else {
+			this.groupsDelimiter = groupsDelimiter;
+		}
+	}
 
-            return new User(username,"",true,true,true,true,new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
-        } catch (InterruptedException e) {
-            throw new AuthenticationServiceException("Interrupted",e);
-        } catch (IOException e) {
-            throw new AuthenticationServiceException("Failed",e);
-        }
-    }
+	protected UserDetails authenticate(String username, String password) throws AuthenticationException {
+		try {
+			StringWriter out = new StringWriter();
+			LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+			if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(commandLine)).stdout(new NullOutputStream()).envs("U=" + username, "P=" + password)
+					.join() != 0) {
+				throw new BadCredentialsException(out.toString());
+			}
+			GrantedAuthority[] groups = loadGroups(username);
+			return new User(username, "", true, true, true, true, groups);
+		} catch (InterruptedException e) {
+			throw new AuthenticationServiceException("Interrupted", e);
+		} catch (IOException e) {
+			throw new AuthenticationServiceException("Failed", e);
+		}
+	}
 
-    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
-        return new User(username,"",true,true,true,true,new GrantedAuthority[]{AUTHENTICATED_AUTHORITY});
-    }
+	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
+		GrantedAuthority[] groups = loadGroups(username);
+		return new User(username, "", true, true, true, true, groups);
+	}
 
-    @Override
-    public GroupDetails loadGroupByGroupname(String groupname) throws UsernameNotFoundException, DataAccessException {
-        throw new UsernameNotFoundException(groupname);
-    }
+	@Override
+	public GroupDetails loadGroupByGroupname(final String groupname) throws UsernameNotFoundException, DataAccessException {
+		return new GroupDetails() {
+			public String getName() {
+				return groupname;
+			}
+		};
+	}
 
-    @Extension
-    public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
-        public String getDisplayName() {
-            return "Authenticate via custom script";
-        }
-    }
+	@Extension
+	public static final class DescriptorImpl extends Descriptor<SecurityRealm> {
+		public String getDisplayName() {
+			return "Authenticate via custom script";
+		}
+	}
+
+	protected GrantedAuthority[] loadGroups(String username) throws AuthenticationException {
+		try {
+			List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
+			authorities.add(AUTHENTICATED_AUTHORITY);
+			if (!StringUtils.isBlank(groupsCommandLine)) {
+				StringWriter out = new StringWriter();
+				LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+				OutputStream scriptOut = new ByteArrayOutputStream();
+				if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(groupsCommandLine)).stdout(scriptOut).envs("U=" + username).join() == 0) {
+					StringTokenizer tokenizer = new StringTokenizer(scriptOut.toString().trim(), groupsDelimiter);
+					while (tokenizer.hasMoreTokens()) {
+						final String token = tokenizer.nextToken().trim();
+						String[] args = new String[] { token, username };
+						LOGGER.log(Level.FINE, "granting: {0} to {1}", args);
+						authorities.add(new GrantedAuthorityImpl(token));
+					}
+
+				} else {
+					throw new BadCredentialsException(out.toString());
+				}
+			}
+			return authorities.toArray(new GrantedAuthority[0]);
+		} catch (InterruptedException e) {
+			throw new AuthenticationServiceException("Interrupted", e);
+		} catch (IOException e) {
+			throw new AuthenticationServiceException("Failed", e);
+		}
+	}
 }
diff --git a/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/config.jelly b/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/config.jelly
index be9173b..fd6550d 100644
--- a/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/config.jelly
+++ b/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/config.jelly
@@ -22,7 +22,13 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 -->
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form">
-  <f:entry title="${%Command}">
+  <f:entry title="${%Login Command}">
     <f:textbox field="commandLine" />
   </f:entry>
+  <f:entry title="${%Groups Command}" help="/plugin/script-realm/help-groupsCommandLine.html">
+    <f:textbox field="groupsCommandLine" />
+  </f:entry>
+  <f:entry title="${%Groups Delimiter}" help="/plugin/script-realm/help-groupsDelimiter.html">
+    <f:textbox field="groupsDelimiter" default="," />
+  </f:entry>
 </j:jelly>
\ No newline at end of file
diff --git a/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/help.html b/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/help.html
index a9ca7b9..79c9609 100644
--- a/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/help.html
+++ b/src/main/resources/hudson/plugins/script_realm/ScriptSecurityRealm/help.html
@@ -3,7 +3,7 @@
   a custom authentication scheme, but don't want to write your own plugin.
 
   <p>
-  Each time the authentication is attemped,
+  Each time the authentication is attemped (which is once per session),
   the specified script will be invoked with the username in the 'U' environment variable
   and the password in the 'P' environment variable. If the script returns exit code 0,
   the authentication is considered successful, and otherwise failure.
diff --git a/src/main/resources/index.jelly b/src/main/resources/index.jelly
index 95415c8..01e653c 100644
--- a/src/main/resources/index.jelly
+++ b/src/main/resources/index.jelly
@@ -1,3 +1,3 @@
 <div>
-  This plugin adds authentication via user-defined script.
+  This plugin adds authentication via user-defined script, in additon to the orignal script-realm, this one also supports groups.
 </div>
\ No newline at end of file
diff --git a/src/main/webapp/help-groupsCommandLine.html b/src/main/webapp/help-groupsCommandLine.html
new file mode 100644
index 0000000..5589826
--- /dev/null
+++ b/src/main/webapp/help-groupsCommandLine.html
@@ -0,0 +1,12 @@
+<div>
+  Delegates the groups resolution to a custom script.
+  
+  <p>
+  Each time the authentication is attemped (which is once per session),
+  the specified script will be invoked with the username in the 'U' environment variable.
+  If the script returns exit code 0, the output will be tokenized by the delimiter (default: ',')
+  to create a groups with each token.
+
+  <p>
+  In case of the failure, the output from the process will be reported in the exception message.
+</div>
\ No newline at end of file
diff --git a/src/main/webapp/help-groupsDelimiter.html b/src/main/webapp/help-groupsDelimiter.html
new file mode 100644
index 0000000..d3d073e
--- /dev/null
+++ b/src/main/webapp/help-groupsDelimiter.html
@@ -0,0 +1,3 @@
+<div>
+  Delimiter to split the groups within the returned output of the groups script.
+</div>
\ No newline at end of file
diff --git a/src/test/java/hudson/plugins/script_realm/ScriptSecurityRealmTest.java b/src/test/java/hudson/plugins/script_realm/ScriptSecurityRealmTest.java
index 228edca..321f0a0 100644
--- a/src/test/java/hudson/plugins/script_realm/ScriptSecurityRealmTest.java
+++ b/src/test/java/hudson/plugins/script_realm/ScriptSecurityRealmTest.java
@@ -8,12 +8,12 @@ import org.jvnet.hudson.test.HudsonTestCase;
  */
 public class ScriptSecurityRealmTest extends HudsonTestCase {
     public void test1() {
-        new ScriptSecurityRealm("/bin/true").authenticate("test","test");
+        new ScriptSecurityRealm("/bin/true", null, null).authenticate("test","test");
     }
 
     public void test2() {
         try {
-            new ScriptSecurityRealm("/bin/false").authenticate("test","test");
+            new ScriptSecurityRealm("/bin/false", null, null).authenticate("test","test");
             fail();
         } catch (AuthenticationException e) {
             // as expected