Add security domain for test use with "catch-type=default":
<security-domain name="BlueaditServicesWS-SecurityDomain" cache-type="default">
This will enable picketBox caches authetnciated info. All the authenticated principal, subject and credentail will be cached in JBossCachedAuthenticationManager. After add this, ejb securityContextInterceptor can get authenticated credential from cache put by servlet authentication and directly compare the passed in crendential to validate without call the callbackhandler and do the real authentication work again.