I'm getting started with security stuff and have a very basic question concerning authorization. In my stateless session bean, deployed in a JBoss AS 5.1.0, I marked a business method with @DenyAll to see how security prevents me from calling this method. I did not change the security setup, i.e. did not modify the login-config.xml. My problem is, the method is executed as if there was no @DenyAll annotation. I also tried to put it in the remote interface and tried @RolesAllowed(..) too. Is this correct behavior? I would have expected the container to block these calls. What do I have to do to make it work? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261280#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...