can any one tell me the exact process of putting security in ejb business methods. i have tried with giving syntax like , @ejb.permission role-name = "Primary User Role" before defining business methods and maintioning method permisions,user roles in ejb-jar.xml,jboss.xml. i also created application policy in login-confg . but it's not working. please tell me what exactly i have to do and what changes and to which xmls i have to make.