To add to what Wolfgang has adviced - Two things: 1) "apph_" wrote : But it looks like security annotations are completely ignored. What does your import statement look like in the EJB. I am mainly interested in the @SecurityDomain import: @SecurityDomain("toy-shop-realm") In JBoss5, the import should be: import org.jboss.ejb3.annotation.SecurityDomain; 2) "apph_" wrote : But when i invoke it as 'admin', i'll get the 403 error - access denied.If I add <role-name>admin</role-name> in <auth-constraint> in web.xml i'll also get EJBAccessException: Caller unauthorized for 'admin' login. | Can you post the entire exception stacktrace? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4206847#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...