isCallerInRole is not allowed to be called from an MDB,
true I missed to recollect this.
EJB 3 In Action,
page 208
Like transaction management, authentication can be either
declarative or programmatic, each of which provides a different level of control
over the authentication process. In addition, like the transaction management
features discussed in this chapter,
security applies to session beans and MDBs, and
not the JPA entities.
I am not sure how security works for MDB?