Ok, so I found various threads (like this one: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=37807 and http://www.jboss.org/index.html?module=bb&op=viewtopic&t=35269). However, something about this isn't sitting right with me. 1.) If the MDB RunAs annotation is merely providing a role, but no principal, shouldn't the "unauthenticated" identity get used, just with the @RunAs role? This isn't happening, since my unauthenticated identity is "guest" (in login-config.xml), the SecurityAssociation Stack (detailed above) is showing "anonymous" as the principal, and JBAS doesn't care about either....it is simply throwing an IllegalStateException whenever I try to access the principal inside of my SLSB (called from an MDB). (Error: java.lang.IllegalStateException: No valid security context for the caller identity). 2.) If I perform a programmatic JAAS login inside of my MDB, but just before calling my SLSB, everything works fine. However, shouldn't I be able to use the unauthenticated identiy coupled with the RunAs role in this scenario??? Any thoughts? David View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977677#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...