The Java Docs for PermitAll say the following anonymous wrote : Specifies that all security roles are allowed to invoke the specified method(s) i.e that the specified method(s) are "unchecked". It can be specified on a class or on methods. Specifying it on the class means that it applies to all methods of the class. If specified at the method level, it only affects that method. If the RolesAllowed is specified at the class level and this annotation is applied at the method level, the PermitAll annotation overrides the RolesAllowed for the specified method. After reading this I had assumed that by having an unauthenticatedIdentity set up in my login-config.xml file for the appropriate JAAS Domain anyone would be able to access that particular method. This does not seem to be the case though. In short what needs to be done to allow an unauthenticated user to be able to invoke a method on an EJB that is secureded by a JAAS domain? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4184469#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...