With https://issues.jboss.org/browse/WFLY-5689 we now have a way to map security domains as defined within deployment descriptors to Elytron security domains in the EJB3 subsystem. This means that IIOP-enabled beans should make use of the Elytron security framework to authenticate and authorize incoming requests if such a mapping exists for the EJB application.