Short followup - the implementation of the SecurityService and the PrincipalProvider work fine. They are wrapped by ProviderBasedProducer, which appears to be application scoped, and cache the result of the first lookup here: https://github.com/apache/openwebbeans/blob/trunk/webbeans-impl/src/main/java/org/apache/webbeans/portable/ProviderBasedProducer.java#L66
When running with proxy set to true, this is ok, but when proxy is false, the first Principal returned from the PrincipalProvider/SecurityService is held in the proxyInstance field forever and returned for every subsequent request. The second and subsequent requests never trigger PrincipalProvider.get() or SecurityService.getCurrentPrincipal() to be called. If you run my test, and put some breakpoints on these methods you'll see what I mean. Jon -- Sent from: http://apache-geronimo.328035.n3.nabble.com/Development-f342155.html
