I tried your suggestion but the pages is still rendering without authentication. The only consolation is that any <h:commandLink> that has roles set on them do not render which is as expected. However my pages are still exposed to unauthorised access. Is it that i have to somehow configure seam to read from the exceptions.xml file? Any ideas? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4012607#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...