I believe that the behavior of web and ejb authorization is confusing, and at the same time it is undocumented.
Here it is:
1. There are authorization settings in security domains that specify policy modules to use.
2. In case of web authorization with undertow, security domains are not used by default unless this is enabled in jboss-web.xml, but even though this is the case, if you change a default module to jacc, undertow switches to jacc authorization even though it normally does not use security domains.
3. If jboss authorization is enabled in jboss-web.xml, then the default authorization module does nothing but you still get normal authz behavior as per servlet spec... But if you would set authorization policy to jacc, I believe it would cause jacc checks to be performed twice in case of successful auth, once because of security domain settings, once inside undertow...
4. At the same time EJB container uses authorization modules in security domains as the only authorization mechanism and in this case the default module really implements authorization decisions.
5. And, as the last point, in addition to the possibility to using jacc module or xacml module to authorize ejbs (and servlets), you can probably do the same with changing a delegate in the default delegating authz module.
It is possible I forgot something or that I am wrong, but...... That seems extremely complex to actually understand, and some things here seem to be redundant.