I found that our problem is related to "client-login" definition in login-context.xml, which is currently set to:
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
<application-policy name = "client-login">
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
What will be defined in "client-login"?
after moving to JBoss 3.2.5 I switched to XDoclet and forgot add security-domain in the xdoclet call:
Now it's working.