This has to be part of the client proxy interceptor stack. Today there is only the SecurityInterceptor that accesses the SecurityAssociation. The interceptor stack associated with a proxy needs to include whatever security aspects are needed based on the security metadata. One way would be to include several different security interceptors in the proper order so that the aggregate security context of the call is correct. Some interceptors may do nothing if there already is a security context associated with the call while others may augment it. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3997339#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...