Seems like all remote calls have to be authenticated by remoting-connector.
This is the key <connector name="remoting-connector" socket-binding="remoting" security-realm="TutorialRealm"/> where whole jboss ejb remote access is tied to a single app realm. Seems like a mess. If you have multiple apps on the same server with own security, maintaining acces to them with remote client is going to be nightmare.
My workaround for this was to put a jar file with a dummy login module that just let authentication requests pass, considering that other security-domains are enabled in EJBs.
Application login module must have <module-option name="password-stacking" value="useFirstPass"/> to piggy back on cached Principal/Credentials
That didn't work for me in JBoss 7.1.1. Do I miss other configurations for making cache to work ?