I don't know whether this is possible, but there are two things I would try:
1) take a look at the "@PermitAll" annotation for the ejb methods (or the "unchecked" element in "ejb-jar.xml").
2) There is a "@RunAs" annotation, but probably this also invokes your login module.
Hope that one of them helps.
Thanks for your hints. However, as you suspected, these settings still require previous authentication.
I believe the best workaround would be to create a separate EJB module for the UserService so it can have a default security domain different from the one used in the rest of the application.
The only other solution that comes to my mind is to completely remove the default security domain and use bean level annotations. The risk of forgetting to add them to new beans is high so I'll go for the two module approach.