There is no need to add the roles to the invocation. The principal to role mapping can be obtained via the org.jboss.metadata.AssemblyDescriptorMetaData principal to role mapping, which is available on the container passing into the interceptor. For 5.0, this is not an issue as we can use role mapping logic before authorization in the build up of the security context. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4020890#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...