Ok, I've found a solution. In the case with call to ejb from mbean I added a SecurityAssociation.pushRunAsIdentity(new RunAsIdentity("System", "System")) and corresponding pop around the operation. In the case where I called from the web layer it turned out that I first call a SLSB, which calls a method on an entity which tries to create another entity. At that point the principal had been lost. I'm not sure why it didn't pick up unauthenticated-principal at that point. The solution for that was to add <security-identity><use-caller-identity /></security-identity> to all beans in ejb-jar.xml. There seem to be a bug there, according to http://www.redhat.com/docs/manuals/jboss/jboss-eap-4.2/doc/Server_Configu... it should be the default to use caller identity when no explicit security-identity is present. It seems the bug is in org.jboss.ejb.plugins.SecurityInterceptor#setContainer. I've filed a bug report in jira at https://jira.jboss.org/jira/browse/JBAS-7405 View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4262295#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...