The Security chapter also mentions jboss.xml and jboss-web.xml ("8.3.1. Enabling Declarative Security in JBoss Revisited"). But the excellent EJB3 trailblazer didn't mention them. It did mention application.xml and jboss-app.xml. My application uses those files as well as a web.xml for the data layer. Do I need to start using jboss.xml and jboss-web.xml too, or is there a way around that so I only need to use application.xml, jboss-app.xml and web.xml? mvh, markus View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3958778#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...