I am trying to get @RolesAllowed to work but despite setting a user which does NOT have the role "JournalAccountLogin" the web service method is allowed to be called anyway. See below for what I have configured. From the client I use a user which has the role "Journal JWS" so I can get past the <security-constraints> definition in the web.xml, however this user does NOT have the "JournalAccountLogin" role so when I try to call the login(...) method I was expecting the call to not work but it does. Can anyone help with this?

WEB SERVICE

 @WebMethod
 @RolesAllowed("JournalAccountLogin")
 public Account login(...) { ... }

 <servlet-mapping>
 <servlet-name>AccountJws</servlet-name>
 <url-pattern>/bin/account.jws</url-pattern>
 </servlet-mapping>
 .
 .
 .
 <security-constraint>
 <display-name>secure and confidential</display-name>
 <web-resource-collection>
 <web-resource-name>All</web-resource-name>
 <url-pattern>/bin/*</url-pattern>
 </web-resource-collection>
 <auth-constraint>
 <description>Only Journal JWS role has access</description>
 <role-name>Journal JWS</role-name>
 </auth-constraint>
 <user-data-constraint>
 <description>Only HTTPS</description>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>