Thank's for your reply. But is it not possible to have the authentication done by the server using its login configuration ? What's the use of having a security declaration server side if a client can authenticate itself and then make any calls he wants server side ? There is really something I don't understand, I guess... My needs are : 1. a client calls a log in service server side passing a login and a password to the server, 2. the server authenticate the user, store the roles of the user in the context, 3. the authenticated client calls a secured EJB. Like it is done by a webapp accessing a secured EJB. Is it not possible ? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3976156#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...