How to configure EJB security in a web application?

web.xml:

BASIC
file

glassfish-web.xml:

admin
admin


user
user

The role based security works well in web tier, e.g. JSF backing beans, but doesn't work in EJB tier. I also tried to add a glassfish-ejb-jar.xml, but it didn't help. Isn't the credential automatically propagated from web tier to EJB tier? Or do I miss any configurations?