Yes, that declaration does not include your mbean in a security domain. Have a look at your deploy/jmx-invoker-service.xml file, jboss.jmx:type=adaptor,name=Invoker mbean, section about the invoke operation. You must have this uncommented: <descriptors> | <interceptors> | <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" | securityDomain="java:/jaas/jmx-console"/> | </interceptors> | </descriptors> That adds server side security to the RMIAdaptor. Your singleton-jmx-adaptor-service.xml doesn't include that, so the service is unsecured. In 4.0.5, the section above was commented out by default. The fact that you have it uncommented may indicate that someone in your organization wants that service secured (not a bad idea!!). So, you might want to double check before deploying a second, unsecured, version. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4047580#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...