Hi everyone!

I use Jboss As 7 for my new application which contans some EJB components connected with one main EJB marked as Webservice (JAX-WS). I am connecting to this service from standalone test application and everythink woks fine. But I wanted to implement authentication and authorization so head of my web-service implementor class look like this:

@Stateless

@SchemaValidation(enabled = true)

@WebService(wsdlLocation = "/META-INF/wsdl/invoiceservice.wsdl")

@SecurityDomain("jboss-domain")

@DeclareRoles({"moderator"})

@RolesAllowed({})

public class InvoiceServiceImpl implements Invoiceservice {

     @Override

    @TransactionAttribute(TransactionAttributeType.REQUIRED)

    @DenyAll

    public CreateDocumentRS createDocument(CreateDocumentRQ payload) throws BusinessException {

     .....some code

}

}

I have also configured security domain in standalone.xml - it looks like this:

               security-domain name="jboss-domain" cache-type="default">

                    <authentication>

                        <login-module code="UsersRoles" flag="required">

                            <module-option name="usersProperties" value="ejb3users.properties"/>

                            <module-option name="rolesProperties" value="ejb3roles.properties"/>

                            <module-option name="unauthenticatedIdentity" value="nobody"/>

                        </login-module>

                    </authentication>

                </security-domain>

files ejb3users.properties and ejb3roles.properties are stored in same directory as standalone.xml

and now when I'm trying to connect to webservice with my standalone application (without setting username and password) everythink works, every method which should be denied executes without any exception. Normally I guess method createDocument should not execute and throw exception but it does'nt...

Could you guys advice me what am I doing wrong? Maybe it is something more what should I configure?

Thanks in advance for any thoughts!