ejb apps with spec security constraints should only deploy if there are corresponding geronimo security constraints, as with web apps

for quite a while we have only allowed you to deploy a web app with security constraints if you also supply a geronimo security configuration; otherwise you get no security constraints at all. We should be doing the same for ejb apps. While this may be inconvenient for those who want to try deploying an app without completing the configuration, the alternative is to give the impression that the deployed app is enforcing the security constraints – which it is not.

I suppose an alternative might be to figure out a way to deploy and just forbid access to any resources that are constrained.