anonymous wrote : Does this restrict access to users with a "valid-user" role or does the unchecked with the wildcard allow anyone to access the secureMethod? If i am not wrong, i remember reading a similar post where it was mentioned that in such cases the stricter restriction will be used for authorization. So in your case, only the users with a "valid-user" role will be allowed to access the secureMethod. Getting this confirmed through a testcase would be great. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024264#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...