The security API is still under heavy construction and I've yet to write documentation for it. The @Secure annotation is used to "secure" access to a component or component method by specifying which roles or permissions are required to be able to invoke it. Within the security API there are two types of permissions; "static" and "dynamic" (those are the best descriptions I can come up with). Static permissions are intended to be allocated to roles at initialization time, and to answer your question about how to set up user/roles with permissions, this bit isn't implemented yet. Dynamic permissions are used when you need to make a decision based on some contextual information whether a permission should be granted or not. The checkPermission() call is necessary because it performs an explicit permissions check against the specified object using its ACL - something that you can't do with an annotation. This is the functionality I'm currently working on, and as a result the security example may break occasionally. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3985641#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...