Hallo, I've noticed the following strange behaviour using the @RunAs annotation in a secured STSB. I've tried JBoss 5.0.1.GA and 5.1.0.GA. Take a look at the following simple scenario: three secured STSBs Caller, A and B. Caller runs as Admin defined by @RunAs("Admin") annotation and uses the role Admin for all method calls on other STSBs, STSB A allowes access only by Admins (realize by @RolesAllowed("Admin") annotation) , the same definition can be found in the STSB B. All STSBs are in the same security domain defined by @SecurityDomain("foo"). 1) Authorized Client calls Caller method (the Client hasn't got the role "Admin") 2) Caller method calls A method (as a "Admin") 3) A method calls B method. (I supposed that the "Admin" role is propagated to the second call) 1) and 2) are ok. 3) throws "Caller unauthorized" exception. Is this a bug or a feature? View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4233507#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...