Seems like all remote calls have to be authenticated by remoting-connector.
This is the key <connector name="remoting-connector" socket-binding="remoting" security-realm="TutorialRealm"/> where whole jboss ejb remote access is tied to a single app realm. Seems like a mess. If you have multiple apps on the same server with own security, maintaining acces to them with remote client is going to be nightmare.
Application login module must have <module-option name="password-stacking" value="useFirstPass"/> to piggy back on cached Principal/Credentials
If security realm (ApplicationRealm by default) is removed from remoting-connector, there is no way to authenticate ejb remote call.
Tried multiple approaches
1)
jndiProperties.put(InitialContext.SECURITY_PRINCIPAL, "user");
jndiProperties.put(InitialContext.SECURITY_CREDENTIALS, "pass");
2)
org.jboss.security.client.SecurityClient
3)
org.jboss.security.auth.callback.AppCallbackHandler
User credential set by above means do not get to java ee security context and random UUID values are used on server, or $local if
setting SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER not used
A frequently refernced link from jboss7 docs https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI is not sufficient to make your remote clients work because it leaves the server configuration part out of discussion.
Frustrated after fighting this for the thrid day in the row.