Additional details for http://jira.jboss.com/jira/browse/JBAS-4317 | Thomas, the security context either comes over the wire (remote calls) or comes from the thread local (Local EJB invocations). So where-ever the Invocation object is created on the server side, the security context needs to be set on the Invocation object. The IllegalStateException thrown in the containers was one way of validating that whoever was creating the Invocation object has set the security context (just the way they would have done with .setPrincipal, setCredential etc). | | The primary issue is that there are various integration layers constructing the Invocation object rather than a central place. Some of the examples where the Invocation object is created on the server side include the BaseLocalProxyFactory, ProxyFinderFactory, CMPFieldBridgexxxx. | | So I will need to revert back the IllegalStateException and need your stack trace so that I can understand where your Invocation is being created. | | Once the containers have established that the invocation does contain a security context, they set it on the thread local so that the JACC PolicyContext get Subject call always takes care of the RunAsIdentity that came into the specific container. | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041418#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...