Ok, I've found a solution. In the case with call to ejb from mbean I added a SecurityAssociation.pushRunAsIdentity(new RunAsIdentity("System", "System")) and corresponding pop around the operation.
In the case where I called from the web layer it turned out that I first call a SLSB, which calls a method on an entity which tries to create another entity. At that point the principal had been lost. I'm not sure why it didn't pick up unauthenticated-principal at that point. The solution for that was to add <security-identity><use-caller-identity /></security-identity> to all beans in ejb-jar.xml. There seem to be a bug there, according to http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2/doc/Server_Configuration_Guide/J2EE_Declarative_Security_Overview-Security_Identity.html it should be the default to use caller identity when no explicit security-identity is present. It seems the bug is in org.jboss.ejb.plugins.SecurityInterceptor#setContainer. I've filed a bug report in jira at https://jira.jboss.org/jira/browse/JBAS-7405 View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262295#4262295 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4262295 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user