I tried the deployment descriptor with security in Chapter 8 of Ivan's notes.
Let me correct my previous post.
Both approaches work. Ivan's deployment descriptor is fine and no need to be updated.
<session>
<ejb-name>StatelessSession1Bean</ejb-name>
<local-bean/>
<ejb-class>com.ivan.scbcd6.ejbs.StatelessSession1Bean</ejb-class>
<session-type>Stateless</session-type>
<ejb-local-ref>
<ejb-ref-name>StatelessSession2Bean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
...
</ejb-local-ref>
<resource-env-ref>
<resource-env-ref-name>java:comp/EJBContext</resource-env-ref-name>
<resource-env-ref-type>javax.ejb.EJBContext</resource-env-ref-type>
....
</resource-env-ref>
is the same as
<session>
<ejb-name>StatelessSession1Bean</ejb-name>
<local-bean/>
<ejb-class>com.ivan.scbcd6.ejbs.StatelessSession1Bean</ejb-class>
<session-type>Stateless</session-type>
<ejb-local-ref>
<ejb-ref-name>StatelessSession2Bean</ejb-ref-name>
<ejb-ref-type>Session</ejb-ref-type>
...
</ejb-local-ref>
<resource-env-ref>
<resource-env-ref-name>com.ivan.scbcd6.ejbs.CommonStatelessSessionBean/mSessionContext</resource-env-ref-name>
<resource-env-ref-type>javax.ejb.EJBContext</resource-env-ref-type>
....
</resource-env-ref>