Let's disable authentication for a remote service method using @AccessControlled(guestAccessEnabled=true).
During non-authenticated web service call when this method use another remote service (GroupServiceUtil, UserServiceUtil, ...) the access to non-public remote service is denied, because:
1, the non-public service is annotated with guestAccessEnabled=false
2, we are still in a remote call
See AccessControlAdvice and AccessControlAdvisorImpl.
guestAccessEnabled=true should only disable authentication but not permission checking.
Workaround: use only local services and always check permissions manually.