I am thinking about having a look at this issue and just wanted to bring up some ideas here. The reason I am looking at this is because although there is a solution based on using EJB endpoints there is still a consistent demand for this capability for POJO endpoints. We currently have the following unscheduled issue: - http://jira.jboss.org/jira/browse/JBWS-1999 I have seen the contributed code but this does not integrate with our current WS-Security handlers so I am proposing a more integrated solution. My idea would be to re-open the following issue to allow the UsernameToken to be set as a requirement on the incoming message: - http://jira.jboss.org/jira/browse/JBWS-1136 The configuration should have an attribute 'authenicate=true', if set we can make use of the programatic web authentication available from JBoss 4.2.0.GA: - http://wiki.jboss.org/wiki/WebAuthentication In addition to this the configuration could then contain a set of the allowed roles to call the endpoint and if this is set after the authentication we could use isCallerInRole to verify if the user is in the allowed role. The use of the WebAuthentication above does mean that we can mainly use the standard servlet APIs after the authentication and this change would be achieved with a small amount of additional configuration, as we have authenticated then this will still be propagated to the calls to any subsequent EJBs. I will need to consider the implications of this if a user enables it for an EJB endpoint as it does depend on the web app having a security domain but the primary purpose of this change is for POJO endpoints and not EJB endpoints. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4146806#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...