The security related annotations are some of the least authoritative and simply need to be dropped in favor of the new metadata. The org.jboss.ejb3.security.JaccHelper and org.jboss.ejb3.Ejb3DescriptorHandler.addSecurityAnnotations are duplicating much of the metadata processing. I'm focusing on updating these two pieces of code to validate the AnnotationMetaDataDeployer behavior.
Initially I'm going to try to leave the aspect alone in terms of letting them continue to lookup the annotations and integrate the AnnotationMetaDataDeployer output via the MetaData repository. In the future I believe the security related metadata should be used instead.
http://jira.jboss.com/jira/browse/JBAS-4858
The JACC layer for EJB3 should get into a security deployer for the ejb3 metadata. I have not yet got to doing this task.