Regarding the NPE in the SecurityContext class, not obtaining the requisite ApplicationPolicy(authentication/authorization info etc), I made some changes such that there is a SecurityConfiguration static class (starting today) from where the configuration is obtained.
But before that, there needs to be an MBean (or some way) by which the application policies are established prior to start making authentication/authorization checks.
It is your choice as to how the configuration is established in the embedded ejb3 world.
This has been fixed.
Carlo, once you are done with the RC9 release, I would like to review your security layer and remove redundancies such that changes to the JBoss Security layer does not mess your security needs.