"Markus.Wahl" wrote : I have discovered if I do use @SecurityDomain("mine") it suddenly works. So I have accomplished avoiding creating jboss-web.xml, but I still need to figure out how to avoid using the JBoss specific annotation or creating jboss.xml. do you think it is possible at all? I have verified now that specifying <security-domain>java:/jaas/JSolutionsCRM</security-domain> in jboss-app.xml and not using the @SecurityDomain annotation and instead specifying <security-domain>JSolutionsCRM</security-domain> in jboss.xml works. Note that there must be no java:/jaas/ part in the jboss.xml version. is that the reason why it is not sufficient to have jboss-app.xml and no jboss.xml nor annotation? that the ejb layer have no way of figuring out by itself that java:/jaas/ has to be removed from the security domain name? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3959085#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...