For the interceptor before EJB invoked from servlet: com.sun.enterprise.security.application.EJBSecurityManager.isCallerInRole(role) ProtectionDomain = line 880, has the right code source, but when looked at the result of toString(), it contains permissions from web policy file - (glass)fishy com.sun.enterprise.security.provider.BasePolicyWrapper.implies(ProtectionDomain, Permission) - line 230 Permission = "javax.security.jacc.EJBRoleRefPermission GreeterBean szczyp" com.sun.enterprise.security.provider.BasePolicyWrapper.doImplies(ProtectionDomain, Permission) - line 378 ***** contextId = "TestEAR/TestWeb_war" PolicyConfigurationImpl.policyURLValue = "file:/home/rafal/Apps/glassfish-v2/domains/szczypior.eu/generated/policy/TestEAR/TestWeb_war/granted.policy" Policy = has permissions that reflect the policy file for web module ***** com.sun.enterprise.security.provider.PolicyFile.implies(ProtectionDomain, Permission) - line 1143 ProtectionDomain.codesource = "file:/TestEAR/TestEJB_jar" Map pdMap has only keys for web code source, and their web permissions, but Permission Permission = GreeterBean for role szczyp returned PermissionCollection from the map is null - line 1147 com.sun.enterprise.security.provider.PolicyFile.implies(ProtectionDomain) - line 1191 com.sun.enterprise.security.provider.PolicyFile.getPermissions(Permissions, ProtectionDomain) line 1240 com.sun.enterprise.security.provider.PolicyFile.getPermissions(Permissions, CodeSource, Principals[]) line 1284 these gather permissions, but they do not contain the EJBPermission anyways java.security.Permissions.implies(Permission) - line 157 Permission = "javax.security.jacc.EJBRoleRefPermission GreeterBean szczyp" Permissions doesn't have a PermissionCollection for this Permission type (EJBRoleRefPermission), so return false