Why do you want to implement your authentication service using an EJB?
If there is a pressing reason for this, then it would probably make more sense to have it deployed as a separate service rather than part of the application which is using it.
I think you *can* deploy it as part of the same unit, with a different security setup, by using a different container configuration for the authentication EJB (in your jboss.xml file) and overriding the top-level security-domain element for this configuration.
Even if you have permitted access to all methods in your Authentication bean, the caller must still be authenticated to access it. Hence you get the situation you describe with the bean being called to authenticate method calls to itself ....
> Is there anyway to deploy all of these beans
> together, or must the AuthenticateSB be deployed in
> its own unit with no permissions required?
I posted a similar question a while back, because I had the same problem : I was not able to mix, in the same JAR, an EJB requiring auth with an EJB not requiring auth.
Somebody replied that this is actually not possible in JBoss. So I am keeping my non-auth beans in a separate distribution jar from my auth beans.