The WSDL is requested via a GET and the actual services are requested via POST. So you could limit security to POST requests: <security-constraint> | <web-resource-collection> | <web-resource-name>...</web-resource-name> | <url-pattern>/MyTestWS/*</url-pattern> | <http-method>POST</http-method> | </web-resource-collection> | ... | </security-constraint> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4167698#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...