while i was trimming down the test app for you i found that my stateless session bean extends AbstractMemberBean( too much code so thought of removing) and i tested the app before i was going to uploade it here, i tested by removing extends AbstractMemberBean ( with @SecureDomain("jaaee6-app") everything worked even @RolesAllowed method worked as expected. any i idea why?. if that is the case can't a stateless session bean extend any class?. i am going to test my app without @SecureDomain and adding configuration and let you know.