I have two questions. My environment is Machine A runs JBoss/Tomcat only, hosting a protected servlet (i.e., it requires authentication) and Machine B runs JBoss, hosting an EJB (which will be called by the servlet). Question #1: What is best practice (or just plain old options) for securing the EJB? The EJB does not necessarily need the credentials of the user who authenticated with the servlet but it wants to at least "trust" calls made from the servlet. Question #2: If the environment was a servlet to servlet call - where an HTTP request was going between machines - I would require the request to be an HTTPS call. What is the equivalent for a servlet to EJB call across machines? Thanks! Kelly View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4081841#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...