As an example, consider the following scenario:

I have a simple secured servlet that invokes an EJB method that's secured, where both the servlet and the EJB are using the default Elytron security domain that's defined for applications (i.e., "ApplicationDomain"). There's a user defined in the "ApplicationRealm" that has the role that's required to access the servlet and the EJB method. Undertow uses securityIdentity.getRoles() to check if a user is authorized, so the user is able to access the servlet. However, the EJB subsystem uses securityIdentity.getRoles("ejb") to check if a user is authorized and since no "ejb" category is defined, an EJBAccessException would occur when attempting to invoke the EJB method.