I need some help on the following scenario: @RolesAllowed("role1") ejb1.secureMethod1 @RolesAllowed("role2") ejb2.secureMethod2 secureMethod2 has to be protected, but I have to call the method from ejb1. When I call it from ejb1 I want the container to ignore the security as the user possibly don't have the role. From a business point of view it is OK to call it from ejb1 without the role, but not from another place. I have tried AccessController.doPrivileged with no success. It seems I misunderstood it's purpose. I believe my security setup is correct as I am able to do this if the user has the required role, but fails if he doesn't. Can anybody point me in the right direction? Thank you in advance. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4210637#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...