JBoss implicitly puts EJB methods for which there is no security role specified in ejb-jar.xml DD in the same category with the EJB methods to which calls are expressly forbidden by the <exclude-list> element in DD by calling the PolicyConfiguration.addToExcludedPolicy() method of a JACC provider implementation. This makes impossible for the policy class implementation to distinguish between the two cases.

It is possible to mark explicitly methods as "unchecked" using the <unchecked/> element in <method-permission> after which the methods are properly registred with the policy configuration using the addToUncheckedPolicy() method.

The EJB 2.1 specs on this case says:

>> It is possible that some methods are not assigned to any security roles nor contained in the
exclude-list element. In this case, it is the responsibility of the Deployer to assign method permissions
for all of the unspecified methods, either by assigning them to security roles, or by marking them
as unchecked. <<

In case of JBoss AS the deployer is realized by JBoss code.