Since ejb web services are not part of a web application, they don't get the user data permissions that a web app does. Therefore there is no way to specify that ssl/tls or a client certificate is needed. Also there is no way to specify how to login. We can add a section to the openejb plan that specifies transport-guarantee and authentication-method just like for a web app. We might want to consider bringing this up with the appropriate spec committee.