if I use in the ejb-jar.xml <method-permission> <method-permission> instead of <method-permission> <role-name>friend</role-name> it works. And I have to disabled the http authorization for my example: <port-component> <port-component-name>RoleSecured</port-component-name> <port-component-uri>/ws/RoleSecured</port-component-uri> <!-- geht nur ohne http sicherheit der soaguimacht aber mit <auth-method>BASIC</auth-method> <transport-guarantee>NONE</transport-guarantee> --> </port-component> View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4020587#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...