If an ejb defines a runas, then we push it on the security context for usage in the call path (thread level). So in the case of ejb local calls, if the sec context is null, then there is no run-as. But it is very very important for local calls. Currently, the magic code exists in the PreSecurityInterceptor (which I need to clean up a bit eventually) to detect the run as in local calls. This was the question I had a few months back on the AS5 call( with you and Scott). I was told to aspectize security and not do anything with the invocation object. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4143534#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...