@RolesAllowed allows one to check whether a caller principal has a certain role in a declarative way. Besides checking permissions on executed operations there is also something I call entity ownership checking. This is where you want to check whether the caller principal is allowed to update an Entity. For this I would like to use an Entity Listener since this is one of those cross-cutting concerns. But apparently it's not possible to inject the SessionContext into the listener, since it's not an EJB3 session bean I guess. Thus I'm using the SecurityAssociation.getPrincipal/getSubject to gain access to the caller principal and roles in order to perform the entity ownership checks. Is it OK to use the SecurityAssociation for this purpose? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3994730#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...