Yesterday our web application ran fine on WildFly 9. Since this morning I get only a "Forbidden" in the web browser. We don't use JAAS. There is also no difference if I set the following value to false in the standalone.xml:

...
<subsystem xmlns="urn:jboss:domain:ejb3:3.0">
   ...
   <default-missing-method-permissions-deny-access value="true"/>
   ...
</subsystem>
...

What can be the reasons that WildFly only shows the "Forbidden" page?

EDIT

If I set the log level for package org.jboss.security to TRACE I get the following message in the log file while calling the page:

2016-01-27 12:58:15,354 TRACE [org.jboss.security] (default task-5) PBOX00354: Setting security roles ThreadLocal: null

Not sure what this means ...

My EAR project and the inherited WAR project in eclipse was broken. There were several things missing like at example the application.xml.

Not sure why these things are missing and where I have lost it. But after fixing both projects deployments it works again.

That can occur if you do not have any index.html file at the root of the war file (in WebContent in Eclipse) or your write it wrongly like: Index.html

Same issue if <welcome-file> is not properly set up in WEB-INF/web.xml descriptor

My EAR project and the inherited WAR project in eclipse was broken. There were several things missing like at example the application.xml.

Not sure why these things are missing and where I have lost it. But after fixing both projects deployments it works again.

That build must be corrupted. Re-build the application, create war again and deploy it again. It will work.