A discussion with thomas has brought out an issue for me. The background is that a security context can come over the wire for remote calls. Now whoever is constructing the invocation object on the server side has to be aware of this change (ie. they can set a SecurityContext on the session). Given this, the containers (session,entity) have two choices: a) Ensure that there is a security context on the invocation. b) Accommodate any integration code (that may have created their own Invocation object and forgotten to set the security context) and create the security context on the inv. This can be bad because things like runas or any tokens that may be coming over the wire may be lost. I prefer a) but may break clients. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041434#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...