Propagating Usernametoken username to EJB in Liberty Profile

I have a web service that is authenticated with Usernametoken without a password. Usernames are in LDAP and LDAP is configured in server.xml. When calling from Web service a stateless EJB where roles are defined with annotations for different users I always have an error: CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking foobar on autokauppauej-ear. The user is not granted access to any of the required roles: [somerole].

Application binding is defined in server.xml:

<enterpriseApplication id="foobar-ear" location="foobar-ear-0.0.1- 
SNAPSHOT.ear" name="autokauppauej-ear">
<security-role name="somerole">
<user name="someuser"/>

What am I missing or is this just a liberty feature?