JBoss validates ejb-jar.xml against the dtd.
Look at docs/dtd/ejb-jar_2_0.dtd
The method-permission element specifies that one or more security
roles are allowed to invoke one or more enterprise bean methods. The
method-permission element consists of an optional description, a list
of security role names or an indicator to state that the method is
unchecked for authorization, and a list of method elements.
The security roles used in the method-permission element must be
defined in the security-role element of the deployment descriptor, and
the methods must be methods defined in the enterprise bean's component
and/or home interfaces.
Used in: assembly-descriptor
<!ELEMENT method-permission (description?, (role-name+|unchecked), method+)>