I am trying to get @RolesAllowed to work but despite setting a user which does NOT have the role "JournalAccountLogin" the web service method is allowed to be called anyway. See below for what I have configured. From the client I use a user which has the role "Journal JWS" so I can get past the <security-constraints> definition in the web.xml, however this user does NOT have the "JournalAccountLogin" role so when I try to call the login(...) method I was expecting the call to not work but it does. Can anyone help with this? WEB SERVICE | @WebMethod | @RolesAllowed("JournalAccountLogin") | public Account login(...) { ... } | FILE web.xml | <servlet-mapping> | <servlet-name>AccountJws</servlet-name> | <url-pattern>/bin/account.jws</url-pattern> | </servlet-mapping> | . | . | . | <security-constraint> | <display-name>secure and confidential</display-name> | <web-resource-collection> | <web-resource-name>All</web-resource-name> | <url-pattern>/bin/*</url-pattern> | </web-resource-collection> | <auth-constraint> | <description>Only Journal JWS role has access</description> | <role-name>Journal JWS</role-name> | </auth-constraint> | <user-data-constraint> | <description>Only HTTPS</description> | <transport-guarantee>CONFIDENTIAL</transport-guarantee> | </user-data-constraint> | </security-constraint> | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4177719#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...