Correct me if I am wrong, but I believe ejb's are still secured by containers. You can set up a declarative security policy with use of xml tags in the ejb-jar.xml for the container or roll your own with JAAS. If you are using JAAS then acegi security is out of the question. If you are using xml tag based security in the web.xml/jboss-web.xml, then the security context is propagated to the ejb container by jboss. In this case too acegi security is out. Cut to the chase, acegi cannot be used for ejb's. It is a filter based HTTP protocol authorization/authentication mechanism. Good for web resources & ensures web container independence. For ejb's you got to rely on container for security & as I said before containers provide 2 ways to secure ejb's ( xml tags based & Jaas based ) ... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4116300#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...