anonymous wrote : I am wondering if the ClientLoginModule is consulted before calls are made to EJB! I *guess* that's right. I saw your application policy. Just for the sake of confirming this, try changing it to: <application-policy name = "myPolicy"> | <authentication> | <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" | flag = "required" /> | | </authentication> | | </application-policy> Note that i have removed the ClientLoginModule entry. Now, i believe you will not be able to see the roles even in the EJB. Note that as per Q3 at : http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ the original application policy that you have is absolutely correct and i am asking you to change it only for the sake of testing. I will be able to give you a definite answer only after checking some docs and code(and that will not be before next week). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3981487#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...