So I now *what* caused it but not the *why*. (and maybe this post should go to the security forum but no clue how to X-post here).
In the ejb jar that I create, I use the security-domain element to specify the security realm I defined. The reason for this was that I had to do that if I wanted to secure ejbs that are called from MBeans. What I saw was that if I defined a user/role in the jmx-console realm, I was able to call ejbs even when that jmx-console role was NOT defined in the EJBs rolesAllowed annotation; it started working correctly after I added the security-domain element to the ejb. Having this in in now, however 'causes the authentication exception during the mbeans start execution. ( the reason I mucking with this is that I don't want people f.e. to use twiddle or like code to call mbeans that they are not allowed
Now I *guess* that I need to muck around with the client-login realm defined in the login-config.xml
So much to learn, so little time lol