Just in case others are having a similar problem, I thought I would post what I found.
It seems that unless I configure a security domain, security is not checked. I'm not sure that's true, but that's how it looks.
I decided that I wanted to use a DatabaseServerLoginModule, so I configured
JBoss AS to have one, and named the application-policy (in login-config.xml) "database-domain".
Once that was in place and working, the @RolesAllowed in my EJB3 bean method was still not taking effect. I found that I needed to add the following annotation to the bean class:
Note that there is also @org.jboss.security.annotation.SecurityDomain(), but it didn't work. I'm not sure of the difference between these two.
Once I added the (correct) SecurityDomain annotation to the bean class, the @RolesAllowed annotation on the bean method was honored.
Thanks,