This is a common problem. You are using an EJB to authenticate, however when you have a security domain configured for your app the EJB itself must be authenticated (Catch 22). You have 2 options:
1. Don't use a Session bean for authenticatation, rather authenticate directly from the client.
2. (More complex) Create a separate .jar file in your application which has the authenticating Session bean. In the included jboss.xml for this jar, DO NOT specify a security domain. This EJB will not be required to authenticate, therefore you will not get the error you received below. Your other EJB's will still be authenticated correctly.
The second approach will complicate your build & deployment scenario, but will work.
i had tested the fisrt option and it realy works.
but for the second i did tried with ur suggestion but still i am facing an Error insufficient menthod premission principal=null method=create principalroles= ..
in my ejb-jar i had given <role-name> as everyone
and nothing is there at web.xml could that be cause of the problem.
I use the second approch. The "client session bean" is used for server side authentication and it is not under any securitu domain. it works
In the ejb-jar.xml file of the UNSECURED jar (containing the authenticating Session bean), remove any references to role names, as the purpose here is to ensure no authentication takes place prior to the EJB's methods being invoked.