I tried @RolesAllowed("BAD") and also @DenyAll does not work as expected (methods are invoked).
I added my simple test.war. Due to I'm a JBoss beginner, maybe I'm missing some basic stuff.
Here's the security-domain part of standalone.xml, which is referenced in the war:
<security-domain name="formauth" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="defaultUsers.properties"/>
<module-option name="rolesProperties" value="defaultRoles.properties"/>
</login-module>
</authentication>
</security-domain>
Thanks, herb