see https://community.jboss.org/message/716366#716366 for details.
Invoking an EJB from a remote client throws an AccessControlException after 60+ successful invocations despite AllPermission in the policy file. The patch we developed in the discussion was to modify org/jboss/marshalling/reflect/SerializableClass.callReadObject(...) to use a privileged action. The workaround passed the tests in jboss-marshalling and worked for the remote EJB invocation (over 100,000 successful invocations before stopping test).