There is a need for an security domain annotation override for jboss-app.xml
According to Bill
The EJB Container is based on AOP which allows annotation overrides.
The DD parsing looks for security-domain with the jboss.xml file. If it exists, then it allocates a SecurityDomain annotation and adds it to the EJB Container's annotation override facility which in turn is picked up by AOP at interceptor bind time.
What really needs to be done is a refactoring of the metadata parsing like it is in other deployers. That XML is parsed in a different, separate deployer. Then you can write an additional deployer that acquires metadata from the EAR level and augments the metamodel. That way the EJB deployment process is as isolated from EAR specific processing as possible.