I am using JBoss 4.02, and I am in the process of enabling security authentication for all EJB methods. I have got the various security domain stuff working, and I can now successfully authenticate a client connection (and successfully fail an incorrect client). I am using various different roles on methods, assigned through the ejb-jar.xml descriptor file. I'd like to be able to assign some roles to special users. It seems that the <security-role> part of the jboss.xml file is designed to do just this (using the jboss.xml dtd here: http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd, approx line 1045). However, this doesn't seem to be assigning the roles to the principal as expected. The comments seem to imply that this might only work when using run-as principal, not a normal principal. Is this correct? Note that I am using a very similar mechanism for BEA WebLogic which works OK. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3998946#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...