Alessio is right when he says the endpoint servlet is not called. Running the tests with TRACE enabled for org.jboss.security shows us the following: | 2008-08-26 14:30:19,078 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.JACCAuthorizationModule:{}required}is:[required] | 2008-08-26 14:30:19,079 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) resourceCheck=false : userDataCheck=true : roleRefCheck=false | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) hasUserDataPermission, p=(javax.security.jacc.WebUserDataPermission / POST) | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.ContextPolicy] (http-127.0.0.1-8080-1) No principals found in domain: ProtectionDomain null | null | <no principals> | java.security.Permissions@1ed6d94 ( | (javax.security.jacc.EJBMethodPermission RoleSecuredSLSB)[*:*()] | (javax.security.jacc.EJBMethodPermission BasicSecuredSLSB)[*:*()] | [RoleSecuredSLSB,role-ref=friend] | ) | | | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.jacc.DelegatingPolicy] (http-127.0.0.1-8080-1) implied=false | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.authorization.modules.web.WebJACCPolicyModuleDelegate] (http-127.0.0.1-8080-1) Denied: (javax.security.jacc.WebUserDataPermission / POST) | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-127.0.0.1-8080-1) Error in authorize: | org.jboss.security.authorization.AuthorizationException: Authorization Failed:Denied. | at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268) | at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67) | at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:153) | at java.security.AccessController.doPrivileged(Native Method) | at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:149) | at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:455) | at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:121) | at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:179) | at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:614) | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90) | at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) | at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) | at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601) | at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) | at java.lang.Thread.run(Thread.java:595) | 2008-08-26 14:30:19,080 TRACE [org.jboss.security.plugins.javaee.WebAuthorizationHelper] (http-127.0.0.1-8080-1) hasRole check failed:Authorization Failed:Denied. | As we can see, JBossAuthorizationContext doesn't grant access to the endpoint servlet. So, either we have an incomplete policy or we are inappropriately performing authorization checks on this servlet. anonymous wrote : | Please note that it seems to me the ws calls are rejected in the same way even when using the right principal/credential | You are probably right here. The tests would fail even when using the right authentication info because access to the endpoint servlet would be rejected anyway. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4172689#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...