Thank you for your help, what was happening was that it allowed the access without any authentication. Right now I've found the solution. It's kind of weird because the change I made is not a big deal. It works with the next annotations config:
- My web.xml is now empty
- My EJB - Web Service:
With this change what I've got is that now the web service is exposed directly in a https://... URL. With the former config it was always exposed in http://... and now the authentication process is done correctly. To prevent simple http conections I removed the http connector from JBoss config (jbossweb.sar/server.xml). I would like to know if there's a better option to avoid http connections just for my application and not the whole server.
(btw ... I don't know if right now I should mark this topic as resolved)