I dont think we considered ejb method overload. Why not rename your methods?
Of course the methods can always be renamed. But what I'm alluding to is if the methods' arguments are taken into account maybe I can also check their values for authorization. Something likes user A can only call bar(int x) where x < 50. Is it even possible?
The EJB XACML namespaces are not standardized. So I had low expectations of it becoming popular. Anyway, the ideal strategy would be for the ejb/ee namespaces to be standardized.
We are definitely going to fix this with a https://jira.jboss.org/browse/SECURITY-519 bug.
Implement a XACML Authorization Module delegate and implement it yourself for the time being.