We don't use them, but as far as I understand it all can be declared by annotations on class or method level. Have a look at http://java.sun.com/javaee/5/docs/api/ and watch out for javax.annotation.security - package. The roles itself must be defined in login-config.xml in conf-dir of your server configuration (i.e. <jboss-install-dir>/server/default/conf). There are different ways for specifying usernames, passwords and roles. The simplest one is by using a properties file. If your read the login-config.xml you'll probalby able to understand the configuration needs. Hope this helps. Regards. /sandor/ View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4080374#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...