I may not totally be answering your question, but it may be related to something I ran into and that was assuming the generate WAR file (and I'm working with EJB3 endpoints) would contain the proper security constraints. I couldn't get the annotations to work for that, so I created the jboss-web.xml and web.xml and packaged my own WAR and it worked fine. Look at http://www.jboss.com/index.html?module=bb&op=viewtopic&t=91699 for my post that touches on this. I have a JAAS module doing the login and creates a Principal which my EJB3 endpoint can access. Also loads the roles so my EJB3's "@RolesAllowed" annotation is honored. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3975933#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...