Propagating Usernametoken username to EJB in Liberty Profile

I have a web service that is authenticated with Usernametoken without a password. Usernames are in LDAP and LDAP is configured in server.xml. When calling from Web service a stateless EJB where roles are defined with annotations for different users I always have an error: CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking foobar on autokauppauej-ear. The user is not granted access to any of the required roles: [somerole].

Application binding is defined in server.xml:

<feature>appSecurity-2.0</feature>
...  
<enterpriseApplication id="foobar-ear" location="foobar-ear-0.0.1- 
SNAPSHOT.ear" name="autokauppauej-ear">
<application-bnd>
<security-role name="somerole">
<user name="someuser"/>
</security-role>
</application-bnd>

What am I missing or is this just a liberty feature?