I'm trying to run a @Service with a special role, so that it is able to access other beans, but @SecurityDomain seems to be ignored and thus the service is not started.

E.g.:

@Service
@SecurityDomain("shared")
@RunAs("staff")
public class UpdateService
implements UpdateServiceM
{
...
}

@Local
@Management
public interface UpdateServiceM {
... // defines e.g. start() and stop(), but not create() and destroy()
}

@Stateless
@SecurityDomain("shared")
@RolesAllowed("staff")
public class UpdateServiceSB implements UpdateServiceDaoL {
...
}

@Local
public interface UpdateServiceDaoL extends UpdateServiceDao {
...
}

All SBs/IFs are part of the same foo.ear .

Deployment Exception:

2006-03-28 23:43:26,263 WARN [ScannerThread:org.jboss.system.ServiceController:424] - Problem starting service jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
javax.ejb.EJBAccessException: Authentication failure
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:46)
at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:71)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:174)
at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:142)
at org.jboss.ejb3.service.ServiceMBeanDelegate.invoke(ServiceMBeanDelegate.java:166)
at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:991)
at $Proxy0.start(Unknown Source)
...
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at org.jboss.security.Util.createPasswordHash(Util.java:407)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:367)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:195)
...
2006-03-28 23:53:25,969 ERROR [main:org.jboss.deployment.scanner.URLDeploymentScanner:548] - Incomplete Deployment listing:

— MBeans waiting for other MBeans —
ObjectName: jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
State: FAILED
Reason: javax.ejb.EJBAccessException: Authentication failure

— MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM —
ObjectName: jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
State: FAILED
Reason: javax.ejb.EJBAccessException: Authentication failure
...

Actually I'm wondering, why the UsernamePasswordLoginModule appears in the stack trace, because @SecurityDomain("shared") is defined as:
...
<application-policy name="@security.domain@">
<authentication>
<login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:/@security.ds@</module-option>
<module-option name="principalsQuery"
>SELECT passwd FROM users WHERE login=? AND (ISNULL(expire) OR (UNIX_TIMESTAMP() - (expire/1000) < 0))</module-option>
<module-option name="rolesQuery"
>SELECT r.name, 'Roles' FROM users u, roles r, user2role m WHERE u.login=? AND u.uid=m.users_uid AND m.roles_gid=r.gid</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
</login-module>
</authentication>
</application-policy>
...

So no UsernamePasswordLoginModule at all. Finally my guess is, that @SecurityDomain is completely ignored during deployment and that's why the start fails....