I migrating some apps from weblogic and it appear that weblogic takes a different approach to EJB security in that if you don't specify a method-permission element in the ejb-jar.xml then it defaults to allows unchecked access to those methods where as jboss you have to explicitly marked them as unchecked. This is painful if I have to add every method individually to as unchecked if I only want to restrict access to one method. I can add the following: | ... | <method-permission> | <unchecked/> | <method > | <ejb-name>MyEJB</ejb-name> | <method-intf>Remote</method-intf> | <method-name>*</method-name> | </method> | </method-permission> | ... | To allow unrestricted access to all methods but what is the behavior if I do the following: | ... | <method-permission> | <unchecked/> | <method > | <ejb-name>MyEJB</ejb-name> | <method-intf>Remote</method-intf> | <method-name>*</method-name> | </method> | </method-permission> | <method-permission> | <role-name>valid-user</role-name> | <method > | <ejb-name>MyEJB</ejb-name> | <method-intf>Remote</method-intf> | <method-name>secureMethod</method-name> | </method> | </method-permission> | ... | Does this restrict access to users with a "valid-user" role or does the unchecked with the wildcard allow anyone to access the secureMethod? I will implement a testcase to findout and post my findings but am interested to find out what the semantic behavior is supposed to be. Oh if you want I can post this in the EJB forum if you think that's a more relevant location for this post. cheers, Aaron View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024106#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...