I think I know what the problem is - SecurityInterceptor (which performs the security checks for Seam components) is a client interceptor, which means it is not part of the ejb interceptor stack. I'm not sure what to suggest as a workaround at this stage, though the first thing you can try is to extend SecurityInterceptor and change the interceptor type to server and check that the restrictions are processed. @Interceptor(stateless = true, type=InterceptorType.SERVER, | around=AsynchronousInterceptor.class) | public class MySecurityInterceptor extends SecurityInterceptor View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4108695#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...