JBOSS 4.x supports ejb 2.1 as webservice endpoints using jax-rpc. I read through JBOSS configruation guide and searched on the web, but could not find much information on how to enable security for ejb 2.1 webservice endpoints. I have been able to expose ejb 2.1 as web servcies using configuration and wsdl files generated by wstools. It is working fine but it is a free entry for eveyone. I have security roles configured in ejb-jar.xml and security domain configured in jboss.xml. The login module is also configured in login-config.xml, but client is able to get access to endpoints without providing any authentication information. I want to enable secure access for ejb 2.1 endpoints. Could you please help me by referring a right place where I can find some information, or provide some documentation if you have it handy.