In addition to the well-documented steps for securing EJBs, configuring in JBoss has some potential issues. Setting up an authentication policy requires editing some JBoss-specific files:
conf/login-config.xml:
<application-policy name="policy-name">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="optional">
<module-option name="unauthenticatedIdentity">anonymous</module-option>
</login-module>
</authentication>
</application-policy>
META-INF/jboss.xml:
<jboss>
<security-domain>java:/jaas/policy-name</security-domain>
...
If you set up a policy like this, you apparently must establish a method-permission in ejb-jar.xml for every method (or *) of every bean. Misnaming a method, or trying to do a partial wildcard (get*, can't do that), gives an error:
Insufficient method permissions, principal=user, ejbName=Bean, method=method, interface=SERVICE_ENDPOINT, requiredRoles=[], principalRoles=[user-role1, user-role2]