OK, I'll try to answer my own question :-) so I figured out that the web service has to be provided as a servlet in web.xml....
However, is not $Rolesallowed supposed to work in an ejb-webservice? Right now, it seems that all authenticated user (in roles defined in security contraints in web.xml) are allowed to any method even if @Resource WebServiceContext context - isUserInRole shows the correct role (and the role is NOT in @RolesAllowed) br hw -- View this message in context: http://openejb.979440.n4.nabble.com/stateless-webservice-in-war-and-ear-packaging-tp4663213p4663219.html Sent from the OpenEJB User mailing list archive at Nabble.com.
