Hi! 1. I declared SecurityDomain (ex: ClientDomain) inside jboss.xml file. And then, I package my bean to jar file (ex: myBean.jar). 2. The Stranger get it (myBean.jar), he can extract it. And he can see all things in jboss.xml file. (Here, I know SecurityDomain that I declare). I understand your mind! And it's very useful. I also think that I the Stranger can access JBoss Server (and can know about login-config.xml) --> my beans are not security. Thanks sir! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4081147#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...