have you set a security domain in the jboss.xml file?
hope that helps!
Thanks, you got me back on track. I'd tried that before but I was put off progressing it when my application then started to throw security exceptions for every access of every EJB in my deployment... following your post I had another whack at it and when I'd turned off all the access controls (set method-permissions to unchecked/, * for every EJB) it worked a treat.
But then, anonymous users still can't get access because JBoss doesn't consider them to be real users so you have to set up a <login-module> using AnonLoginModule in your login.conf...