https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/developing_ejb_applications/#ejb_invocation_over_http

The http-invoker attribute takes two parameters: a path that defaults to /wildfly-services and an http-authentication-factory that must be a reference to an Elytron http-authentication-factory.

Actually it is possible to use legacy security instead of Elytron - instead of specifying a value for http-authentication-factory, you can specify the security-realm attribute which is a name of a legacy security domain. Please note that these two attributes are mutually exclusive, you can't specify both http-authentication-factory and security-realm at the same time.