You cannot use wild cards in ejb-jar.xml for declarative security.
However, you can install a security interceptor with your application that can check these roles. The interceptor gets called before the ejb and you can handle all checking there. The interceptor gets access to the principal, roles, ejb and the ejb method that is being invoked. This is enough info for you to program fine grained security
Another way would be to check the users roles in ejb interface methods and not proceed if the user has insufficient roles (throw security exception). However, this logic needs to be impl'ed in every method.
1) Option 1 is clean and simple and your ejb code is not aware of security logic
2) Option 1 is jboss specific and you will have trouble migrating to other app servers that dont allow this flexibility (remember jboss is very very flexible and allows you to do lot more customization than other servers)
3) Option 2 should work on any app server!!
What shud you choose
Choose option (2) if you need portability or choose (1) otherwise