To secure the EJB tier, we did the following:
Deployed the JAAS-based security realm with the JBoss container.
Protected the EJB in ejb-jar.xml:
Added security roles.
Allowed callers with the unauthenticated guest or authorized Manager role to access non-secure methods.
Restricted access to administrative methods to users in the Manager role.
Automated extra ejb-jar.xml settings with XDoclet.