Currently JACC authorization happens only if the caller is authenticated.
If the caller is not authenticated, JBoss simply calls the next Interceptor.

Code snippet from JaccAuthorizationInterceptor.checkSecurityAssociation():
...
// Get the caller, return if there is no authenticated caller
Subject caller = SecurityActions.getContextSubject();
if( caller == null )
return null;
...

Why can an unauthenticated caller invoke 'everything', whereas an authenticated caller gets authorized?

Of course, it can be assumed that a LoginModule is used.
We ran into this by using runAs in a MDB.
Authorization bases on authentication and if authentication was not done properly, an exception would be appropriate.