One hack would be to create the jacc war permissions in the web services module at the location where it attaches the JBossWebMetaData to the deployment unit. This seems fine because we are just going to add the web perms to the ejb jacc policy configuration because the jacc context id is going to be the same. The dynamic web app is just an auxiliary side effect generated by the WS layer. * This would make webservices module dependent on server module. Scott, thoughts on this one? The distinct deployer architecture in the WS layer is certainly a stumbling block in all that we have strived for in AS5 (staging deployers etc). :( View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4175190#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...