References: https://jira.jboss.org/jira/browse/JBAS-4644 http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175139#... When you deploy a EJB based WS, JBossWS tries to deploys an endpoint servlet in tomcat. In AS5, for ejb jars with ws, a) the ejb security deployer is called. It creates the jacc permissions. b) the ws deployer kicks in. Creates a webmetadata for the endpoint servlet and adds as an attachment. c) the tomcat deployer kicks in. Uses the webMD attached by WS deployer in the unit. The issue is that under JACC environment, since we have not passed the deployment (web metadata) via the war security deployer, the jacc permissions are not created. There is a need for the WAR security deployer to kick in between steps b) and c). The security deployers are post_classloader deployers. The WS and tomcat deployers are real deployers. Ideas/suggestions please. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175143#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...