We are developing a small EJB application for a university lecture using EJB 3.0, JBoss and Servlet (or JSP alternatively). Can we use the @PermitAll, @DenyAll, @RolesAllowed(Role), @RunAs(Role) annotations to secure our servlets? Or do we have to do it the traditional way, writing some session property after a user has logged in and then evaluation the session for every servlet (if session.getProperty("loggedin")==true then show servlet else redirect to 404)? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233613#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...