Hey,

This should not work. We have some doc about how to protect EJBs [1], but I'm not sure if it is still true for the new versions of WildFly.

But there is always a workaround, right ? You can try to access the authenticated subject from

org.jboss.security.SecurityContextAssociation

[1] https://docs.jboss.org/author/display/PLINK/Protecting+EJB+Endpoints