I see the same behavior for 1a and 1b. The Subject contains a single principal with a name equal to the run-as/role-name
| 23:16:45,928 INFO [STDOUT] publicMethod, PolicyContext subject: Subject: | Principal: identitySubstitutionCaller | I have updated this to use the run-as principal and added the run-as roles in a group named "Roles" to be consistent with the default login module behavior: | 23:14:54,115 INFO [STDOUT] publicMethod, PolicyContext subject: Subject: | Principal: Roles(members:identitySubstitutionCaller) | Principal: [roles=[identitySubstitutionCaller],principal=runAsUser] | 2) the run-as principal should be returned consistently here because the run-as identity affects every callout made by the bean regardless of who the caller is. 3) This is definitely a bug: http://jira.jboss.com/jira/browse/JBAS-2661 View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3917395#3917395 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3917395 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user