ok, I could make it working just adding a jboss.xml with this content: | <jboss> | <unauthenticated-principal>anonymous</unauthenticated-principal> | </jboss> | I thought that this could mean that it wont have any security at all, but I removed the @RunAs annotation and it stopped working... so I think that my app is still safe, and for some strange reason, I really have to put this xml to the RunAs work properly I will study the documentation to discover if this behavior is expected, and I will also look for an annotation to avoid the jboss.xml file I found a topic with the same prob, I will update it here: http://www.jboss.com/index.html?module=bb&op=viewtopic&t=72797 View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4142183#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...