Right way: do not force the user to always have an unauth annotation in his beans. He can specify the unauth identity in any of the following:
a) Security Domain
b) jboss.xml
c) jboss-app.xml

I would prefer the @UI injection that you do for @SD. I am not a big fan of custom annotations. I like ur injection stuff.

A log.trace should be done for the warning message.

Carlo de Wolf wrote:
> Thought as much. Hmm, I think we could use a warning message if we spot
> a @PermitAll without an unauthenticatedPrincipal and we don't get
> supplied with a principal from the caller. Any objections?
>
> Carlo
>
> On Wed, 2007-05-02 at 08:40 -0700, Scott M Stark wrote:
>
>> Unchecked applies to the allowed roles. By default it still needs an
>> authenticated user. If you don't want that, don't annotate the method
>> with a permission, or setup the security domain to allow unauthenticated
>> users. Without such a distinction, the @PermitAll annotation is meaningless.
>>
>> Anil Saldhana wrote:
>>
>>> So if the user does not provide any username/principal, then the
>>> unauthenticatedIdentity setting (if present) will kick in.
>>>
>>> Anil Saldhana wrote:
>>>
>>>> That is because Scott thinks that any unchecked method should not be
>>>> totally open to the world. Only authenticated principals should have
>>>> access.
>>>>
>>>> Carlo de Wolf wrote:
>>>>
>>>>> Do either one of you know why a @PermitAll requires an
>>>>> unauthenticatedPrincipal (on SecurityDomain)?
>>>>> I want the answer beyond: TCK requires AuthorizationInterceptors. :-)
>>>>>
>>>>> Carlo

The default should be coming from a central location for ejb2 and ejb3. For JBoss5, I think it will come from the security deployer as specified in the following discussion.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=106897

Of course, the server will ship with a default.

For 4.2, I guess the default should come from the JaasSecurityManagerService.