The run-as identity does NOT apply to the timeout callback method of an enterprise bean --------------------------------------------------------------------------------------- Key: WFLY-2654 URL: https://issues.jboss.org/browse/WFLY-2654 Project: WildFly Issue Type: Bug Security Level: Public(Everyone can see) Components: EJB, Security Affects Versions: 8.0.0.Beta1 Reporter: Matus Abaffy Assignee: Tomasz Adamski EJB 3.2 spec., 12.3.4.1 Run-as: bq. The run-as identity applies ... to the timeout callback methods of an enterprise bean; Assume the following classes: {code} @Stateless @RunAs("alarm") public class Alarm { @EJB private Bell bell; // some more logic @Timeout public void ejbTimeout(Timer timer) { bell.ring(); } } {code} {code} @Stateless @RolesAllowed("alarm") public class Bell { public void ring() {} } {code} When the Alarm's timeout callback method is invoked due to timer expiration, bell.ring(); results in {code}ERROR [org.jboss.as.ejb3.invocation] (EJB default - 1) JBAS014134: EJB Invocation failed on component Bell for method public void org.jboss.as.test.integration.ejb.security.timeout.Bell.ring(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void org.jboss.as.test.integration.ejb.security.timeout.Bell.ring() of bean: Bell is not allowed {code} Calling bell.ring(); from Alarm's business methods works as expected (no error). Simple test case available at: https://github.com/bafco/wildfly/tree/timeoutSecurity