Hi... I'm quite new to JBoss and JEE and tried to realize a very simple webshop to become familiar with both topics. The application is an EAR, containing a WAR and an EJB-part. When I try to add security by adding the security-domain "java:jaas/webshop" to the WAR's jboss-web.xml and "webshop" to EJB's jboss.xml[1] after defining the application-policy "webshop" in conf/login-config.xml, I can't call any (unprotected! no method-permission in ejb-jar.xml) EJBs anymore. If I try, I get an SecurityException, because the principal is null. I expected the principal for unauthenticated users to be equal to unauthenticated-principal in conf/standardjboss.xml, but it seems, this is never applied. Can anybody explain me, how I can use this unauthenticated-principal or how to access my (unprotected) EJB's without discarding the security-domain? Stefan (after hours of googling) [1]: Using "java:jaas/webshop" in jboss.xml causes a ClassCastException because "JaasSecurityManager cannot be cast to SecurityDomainContext". In https://jira.jboss.org/jira/browse/JBAS-4022 Erica Kane suggested to leave the prefix out. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233602#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...