Looks like only web.xml matters security-constraint> | <web-resource-collection> | <web-resource-name>Server service</web-resource-name> | <url-pattern>/*</url-pattern> | <http-method>POST</http-method> | </web-resource-collection> | <auth-constraint> | <role-name>testuser</role-name> | </auth-constraint> | </security-constraint> and @RolesAllowed annotation does no effect View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4105030#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...