We use JavaTM Authorization Contract for Containers (JACC) to plug in our right system. The role name "*" is used for generating the web.xml in JBossWS (more exactly in org.jboss.webservice.ServiceDeployerEJB) when An EJB is deployed together with a webservices.xml.

The special role name ?? is a shorthand for all role names defined in the deployment descriptor. When not using JACC in JBoss this works fine but JACC is strict (and correct): a checked permission cannot be implied without an existing role, behind the "" there must be at least one existing role. So a request accessing a resource protected with the role "*" will never be successfully authorized when there exists no other role in the web.xml.

As you know the security-constraint with included auth-constraint (=authorization) is needed because authentication is needed (authentication without authorization seems not to be a use case in the J2EE specification, take a look at http://jira.jboss.com/jira/browse/JBAS-1824)

I see the following solutions:
1.
In the generated web.xml an additional role could be used to declare an additional role basing on a system property to make the users of JACC happy:
e.g seeting jboss.ws.additional.security.role=ALLOW-ALL would result in adding
<security-role>
<role-name>ALLOW-ALL</role-name>
</security-role>
to the web.xml.

2.
Not using "*". Because it is not possible authenticate without defining a role, this role should be enlisted in jboss.xml.

3.
Extending the servlet specific to allow authentication without authorization.