1. Did you checked your DD's? Were there any errors during deployment? I found that jboss/tomcat is very sensitive to this and may ( as side effect )
do not bind security context.
2. JbossSecurityMgrRealm stores auth data in
SecurityAssociation ( which is ThreadLocal etc. pp. )
Client side proxies pull those data from there on invocation of ejb's
( BTW, nothing prevents you to setup
SecurityAssociation without JbossSecurityMgrRealm... )
Nothing yet. Future versions running under a Java2 SecurityManager will not allow access to the SecurityAssociation from client code.