I am running JBAS 4.0.4GA_Patch1. I have an annotated EJB3 MDB, with the following annotations: @SecurityDomain("myRealm") | @RunAs("system") | @RolesAllowed( { | "admin", "system" | }) | Inside of my MDB, I am calling a function on a SLSB (called "UserBean"). Inside of my SLSB UserBean, I execute the following call (notice the injected SessionContext): | @Resource SessionContext context; | | public someFunc(..) | { | Principal p = this.context.getCallerPrincipal(); | } | Now, this SLSB call works just fine if I access the SLSB from, say, a web-services call (I get the proper principal returned). However, when I call it from an MDB, I get the following exception: "java.lang.IllegalStateException: No valid security context for the caller identity". After doing a bit of digging, I noticed that inside of the SecurityAssociation class, the peekRunAsIdentity() function is being called with a depth of 1. Inside of peekRunAsIdentity, the peek() function is trying to determine a valid "runas" role. If I debug this, I can see the correct "system" role in the stack (ArrayList) object, complete with an "anonymous" principal name. However, the depth always gets set to -1 inside of the peek function, and so the "RunAs" role is ignored. The peek() function (incorrectly) assumes that the principal is null, and throws an IllegalStateException. Something seems amiss here...like I said, my code works fine, so long as its not invoked from an MDB. Can anybody comment on this? Thanks! David View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977365#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...