anonymous wrote : To reiterate, I am expecting the call to the EJB method to fail as I have specified a non-existing roles in @RolesAllowed. I should have noted this in your first post itself. Overlooked it though. Have you specified a security domain for the EJB either through annotation at class level or through the jboss.xml file? If you haven't then the EJB is NOT considered a secure one and the @RolesAllowed will be ignored. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3981048#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...