Falling back to the J2EE design patterns and using Stateless Session Beans as a Session Facades you have the ability to expose methods with security constraints as WebServices end points using a broker. With this in mind you now are able to use the JAXB bind objects as transfer objects which simplifies the marshalling of responses back to the Client. This type of implementation also allows for re-use of the Session Facade method calls by Business Delegates. Interfacing your Session Facades you can create 2 constructs for both Local (Business Delegates) and Remote (Web Services calls). This allow you to annotate your security framework for the particular calls that are being made. The EJB3 implementation does not the J2EE patterns but has only simplified the Containers implementation making the Bean Context a more managable and flexible framework. Please do not disregard your thoughts on using J2EE patterns these are still valid with the new EJB3 paradigm. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3987566#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...