Migrating Security Domains to JBoss EAP 7.2

I want to migrate from JBoss EAP 6.4 to JBoss EAP 7.2 and continue to use my Custom Login Module implementations (javax.security.auth.spi.LoginModule). Problem is, that my Login Modules are never called and I get exceptions when calling EJBs annotated with the respective @SecurityDomain annotation.

I created a simple test case to verify the configuration.

standalone.conf

<!-- in subsystem security -->
<security-domains>
    <security-domain name="test" cache-type="default">
      <authentication>
        <login-module code="TestLoginModule" flag="required"/>
      </authentication>
    </security-domain>
</security-domains>
<elytron-integration>
    <security-realms>
      <elytron-realm name="test" legacy-jaas-config="test"/>
    </security-realms>
</elytron-integration>

I deploy a WAR with a servlet calling an EJB annotated with the security domain and the TestLoginModule. The servlet should return a string, but I get the following exception:

10:52:06,017 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: 

EJB Invocation failed on component Response for method public java.lang.String Response.getResponseString(): javax.ejb.EJBAccessException: 

WFLYEJB0364: Invocation on method: public java.lang.String Response.getResponseString() of bean: Response is not allowed

What did I miss?