The <security-domain> tag included in <container-configuration> in the jboss.xml file is ignored.
I have tracked were the problem seems to be (at least as I saw it).

In the class "org.jboss.ejb3.security.bridge.SecurityDomainMetaDataBridge" there are those lines:
//TODO: How to get the merged meta data? Is the following line correct?
if(securityDomain == null)
securityDomain = beanMetaData.getJBossMetaData().getSecurityDomain();

I replaced them with:
if (securityDomain == null)

{ JBossMetaData metaData = beanMetaData.getJBossMetaData(); securityDomain = metaData.getContainerConfiguration(beanMetaData.determineConfigurationName()) .getSecurityDomain(); if (securityDomain == null) securityDomain = metaData.getSecurityDomain(); }

As I understand it, if no "SecurityDomain" annotation is found, then we finish in this class and we do in order:
1. seek for a security domain in the bean's metadata (I guess it is in the EJB declaration)
2. seek for the one in "jboss-app.xml"

I inserted between them some code returning the one comming from the container's configuration

I hope this helps ...

Best regards,
Please keep me informed,
I hope to remove my "modified" jar with an official one soon.

John