I assume that you are asking how to restrict access to methods in EJB 3 session beans. To do this, you need to do two things.
First, secure your EJB. To do this, use the annotations @SecurityDomain on the class and @PermitAll and @RolesAllowed on the methods, or use the XML configuration file equivalents. Any EJB 3 book should tell you how to do this.
Second, define the security domain within JBoss AS by editing the server/xxx/conf/login-conf.xml file. You can read about this at http://docs.jboss.com/jbossas/guides/j2eeguide/r2/en/html_single/#ch8.chapter
I declared SecurityDomain in XML configuration file. But my problem is: If the stranger has my bean. And he can extract it, and see XML configuration file and know SecurityDomain (and he can edit file login-config.xml on machine). How way to set he can't deploy my bean on his machine ?
I am not sure that I understand your question.
If the "stranger" has access to your configuration files and can modify them, then there is no way to keep the stranger out. In other words, you have no security.
1. I declared SecurityDomain (ex: ClientDomain) inside jboss.xml file. And then, I package my bean to jar file (ex: myBean.jar).
2. The Stranger get it (myBean.jar), he can extract it. And he can see all things in jboss.xml file. (Here, I know SecurityDomain that I declare).
I understand your mind! And it's very useful. I also think that I the Stranger can access JBoss Server (and can know about login-config.xml) --> my beans are not security.