I'm trying to secure a web service which is an EJB. I'm trying to accomplish this by adding the following jboss.xml in the META-INF folder.

<?xml version="1.0"?>
<!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_2.dtd">
<jboss>
 <security-domain />
 <enterprise-beans>
 <session>
 <ejb-name>MyEJB</ejb-name>
 <configuration-name>MyEJB Web Service Config</configuration-name>
 </session>
 </enterprise-beans>

 <container-configurations>
 <container-configuration>
 <container-name>MyEJB Web Service Config</container-name>
 <security-domain>java:/jaas/mydomain</security-domain>
 </container-configuration>
 </container-configurations>
</jboss>

As you can see, this EJB is the only EJB that should be "behind" a security domain. I tried doing this with the SecurityDomain annotation on my EJB, but it gave me a nullpointer in my Seam application on deployment.

Now, this web service is indeed protected by this security domain. So far, so good. But now it seams that the rest of my application is also trying to pass this security domain. What am I forgetting here, or what am I doing wrong?

Btw, my EJB is annotated with the following annotations:

@Stateless(name="MyEJB")
@WebService(endpointInterface="...", name = "...", targetNamespace = "...", serviceName = "...")
@WebContext(urlPattern = "/webservice", authMethod = "BASIC", transportGuarantee = "NONE", secureWSDLAccess = false)