I found the JAAS annotations(such as @RolesAllowed etc) did not work if I did not apply the @SecurityDomain annotation on EJB class.
But it is not a standard API, and it can not be used in other Application server.
I do not want to use it.
Is there is some solution to remove the @SecurityDomain annotation, and make it work as the standard way.
You might use the vendor specific deployment descriptor for this.
The code is not polluted with such annotations but you have to write the XML stuff for each App server.
But if you support different servers you can pack the application with all specific descriptors because the other vendor specifics are ignored