"alessio.soldano(a)jboss.com" wrote : | I think it would be better to leave the configuration of the allowed roles to the login module configuration. May be I'm missing something, but I think we could simply let the user configure the security domain as usual and then the login module(s) configured for that security domain will have the roles configuration. | The reason that we need the additional role check is because the login modules do not actually verify the roles that the user is a member of, the login modules just load the list of roles. The list of roles is then checked against the required roles in the servlet container or in the EJB container. "anil.saldhana(a)jboss.com" wrote : | Why not just design a generic solution around invoking the JBoss Security Managers by doing a JNDI lookup (works both in web and ejb2 containers) | If the code you show is the better way to do it then there is no problem doing it that way as well, however we do not have a need for the actual code to be portable across the containers as the WS-Security handlers are always called within a web application. Even if you deploy an EJB endpoint a web application is automatically deployed to handle the actual WS requests. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4147136#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...