Hi,
your "jboss.xml" declares this security domain: "java:/jaas/myapp-secure-domain". But your login-config.xml uses "application-policy name="javaee6-app" ". Is this just a "typo" in your second configuration snippet? If not: the policy name has to match the security domain name.
By the way 1: you don't need the "java:/jaas/" prefix in jboss.xml as far as I know.
By the way 2: you did not declare a DTD/XSD version in e.g. jboss.xml?
It should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
<jboss>
<security-domain>myapp-secure-domain</security-domain>
</jboss>
Maybe JBoss defaulted to an older DTD which does not support the "security-domain" feature.
Best regards
Wolfgang