Currently, if there is no security domain defined for a deployment, we bypass security with a fat WARN message. But if there is presence of security meta data for the deployment (EJB3 sec annotations), there is an expectation of security enforcement. In this case, we need to default the security domain to "other".