I deployed an EJB to the WLS (8.1.2) on domain A using the default security policy
- "everyone" can call this EJB. A standalone client application can invoke this
ejb without setting context.SECURITY_PRINCIPLE. However, if I use the exact same
code to invoke this ejb from another WLS domain B. I got "SecurityException: [Security:090398]Invalid
Subject..." (WLS on domain B has single-sign on, so there is a subject associated
with the current thread).

I understand that the issue will be resolved if I set the domain-wide credentials
to be the same for domain A and B. But for some other reason, I prefer not to
do that.

My question is if the EJB's security policy is to allow "everyone" to invoke it,
why calling from WLS demands more security checking? Why bother? Any walkaround?
Thanks.