Just registered into this forum looking for a resolution to this exact same issue. Wonder if you discovered anything new since your last post?
Our situation is basically identical. We're currently on JBoss 5. Our web-tier instances only service WARs and our EJB-tier instances only service EJBs. Our servlets or Struts Actions remotely invokes EJBs with no problems. We also have our own custom authenticator/login module to authenticate credentials. Connections to EJB are via JNP. We don't have to explicitly pass credentials to EJB connection.
We're looking into migrating to Wildfly 8.2. If both WARs and EJBs run on the same instance, no problem. However, if we try to run separate Wildfly instances just like we are on JBoss 5, it appears that we have to explicitly pass credentials via JNDI properties. (We're using Remote-Naming; EJB Client appears too restrictive for us.) We have lots of users and roles.
Maybe there's a way to extract the credentials authenticated by Undertow via the authentication mechanism and insert them into the JNDI properties? As an application developer, I don't believe we should have to do this, but I'm getting desperate!