Here's a description of the problem from Stefan Guilhen:
Farah Juma Not sure if this is relevant but do you remember a quick chat we had about a month ago when I was converting this QS and I was getting a $local identity when IntermediateEJB attempted to invoke the SecuredEJB? No matter what I did in terms of configuration I was getting $local even if I used a sasl-mech-selector that explicitly defined DIGEST-MD5 as the only mech.
I found another sample app that was working correctly and the only difference was that the intermediate EJB was injecting the reference to the remote EJB instead of doing a lookup. So I've changed the QS to inject the reference to the SecuredEJB in the IntermediateEJB and it started working. I don't know if this has anything to do with the current issue but I was also getting the $local identity when running this QS.
The problem occurs for EJB invocations from a remote server when doing a lookup using a PROVIDER_URL when no protocol is set on the AuthenticationConfiguration that should be used for the remote EJB invocation. In particular, in RemoteOutboundConnectionService#start when an AuthenticationContext is specified for a remote outbound connection and no protocol is set on the resolved AuthenticationConfiguration, we currently use "http-remoting" as the default protocol when constructing the destination URI. In EjbClientContextSetupProcessor.RegistrationService#transformOne, we create an AuthenticationContext with a rule that attempts to match on "http-remoting". However, because the InitialContext is created using "remote+http://localhost:8080" as the PROVIDER_URL, our rule doesn't match this PROVIDER_URL, so the desired AuthenticationConfiguration doesn't actually get used. We could update RemoteOutboundConnectionService#start so that "remote+http" is used as the default protocol instead of the "http-remoting" protocol when no protocol is set on AuthenticationConfiguration that is resolved for an Elytron remote outbound connection.