If I have no security define for an ejb jar. deployed and tested working great.
Then I add in a jboss.xml file in the jar with a security domain defined. No other changes.
The client no longer has security rights to access the beans, even though there isn't any security defined for the beans. Is this right?
Yes. Like most security systems, the default is to deny access unless you explicitly grant it.