The Java Docs for PermitAll say the following
Specifies that all security roles are allowed to invoke the specified method(s) i.e that the specified method(s) are "unchecked". It can be specified on a class or on methods. Specifying it on the class means that it applies to all methods of the class. If specified at the method level, it only affects that method. If the RolesAllowed is specified at the class level and this annotation is applied at the method level, the PermitAll annotation overrides the RolesAllowed for the specified method.
Ok, it made a liar out of me and just worked. I guess I had something screwy when doing the hot deploy...simple jboss restart fixed it.