Thanks! but i have already read that article. Seems that using @RolesAllowed is the only way it works.
One more question, whats the difference between annotating an ejb with @PermitAll and having an ejb without security annotations.
Role based authorisation is central to the way JEE authorisation works.
It's often useful to have a role that is assigned to all authenticated users. Then you can just use @RolesAllowed("all") on your methods (assuming you named this role "all").
@PermitAll is equivalent to no security, or unchecked. You might use this on a method of a class that has specified @DenyAll or @RolesAllowed at the class level.