Seems like all remote calls have to be authenticated by remoting-connector.
Application login module must have <module-option name="password-stacking" value="useFirstPass"/> to piggy back on cached Principal/Credentials
If security realm (ApplicationRealm by default) is removed from remoting-connector, there is no way to authenticate ejb remote call.
Tried multiple approaches
1)
jndiProperties.put(InitialContext.SECURITY_PRINCIPAL, "user");
jndiProperties.put(InitialContext.SECURITY_CREDENTIALS, "pass");
2)
org.jboss.security.client.SecurityClient
3)
org.jboss.security.auth.callback.AppCallbackHandler
User credential set by above means do not get to java ee security context and random UUID values are used on server, or $local if
setting SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER not used
Seems like a mess. If you have multiple apps on the same server with own security, maintaining acces to then with remote client is going to be nightmare.