Hi Wolfgang, Thanks for your hints. However, as you suspected, these settings still require previous authentication. I believe the best workaround would be to create a separate EJB module for the UserService so it can have a default security domain different from the one used in the rest of the application. The only other solution that comes to my mind is to completely remove the default security domain and use bean level annotations. The risk of forgetting to add them to new beans is high so I'll go for the two module approach. Dennis View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4266524#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...