Adam Kovari created JBWS-3492: --------------------------------- Summary: EJB WS authentication not working when using "strict" allRolesMode in server.xml Realm Key: JBWS-3492 URL: https://issues.jboss.org/browse/JBWS-3492 Project: JBoss Web Services Issue Type: Bug Security Level: Public (Everyone can see) Components: ws-security Environment: JBoss Enterprise Application Platform 5.1.2, both WS-native and WS-CXF affected Reporter: Adam Kovari Attachments: web-service-test-app.ear2 The customer needs to use "strict" mode on Realm in server.xml. By documentation it requires web.xml, however when using EJB Web Services there is no web.xml. Where does it pick authorization configuration from? ejb-jar.xml clearly not but I'm trying to figure out whether it's bug or feature. Please note that using annotations like @RolesRequired and @SecurityDomain is not considered here. I'm attaching example project web-service-test-app2.ear and jboss_config.zip. I have also example project when using POJO WS with web.xml. Then authorization works fine even with "strict" mode. Please request if interested. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira