We have been doing some testing using servlets calling EJB's from within Orion and we are consistently getting the wrong caller principal from the EntityContext.getCallerPrincipal method. We set up the properties object for InitialContext with java.security.principal/credential and we've also tried the RMIApp.java properties of username/password. No matter what we set, we always get "guest" for the calling principal. If I do the samething from a different JVM, the bean gets the correct principal. This is a major problem for us as the BMP implementation is using the value from getCallerPrincipal to enforce ACL's.