The security proxy mechanism is no longer supported by EJB3. In fact, it's really a deprecated mechanism for JBossAS. You have a few options.
You can add a custom interceptor by writing your own security interceptor class and deploying the interceptor by adding it to ejb3-interceptors-aop.xml.
Or, as you mention, you can use the @Interceptor, @Interceptors, and @AroundInvoke annotations to add a security interceptor.
Security information is available through the org.jboss.security.SecurityAssociation singleton - you can determine Principal and Credential information from there.
You can also determine specific (target, method, parameters) info from the InvocationContext and also generic information via getContextData()
Thanks for the reply. That's very useful. I also finally realized that I can inject the EJBContext into the interceptor and get the principal infor from there, though I note I can get more information from the SecurityAssociation.
I'm not sure I need it, but can I get security domain information from within an standard EJB3 interceptor? I know I can get the value of the @SecurityDomain annotation on the target object, but what about the currently active security domain (if that makes sense)?