When using @SecurityDomain in EJB I try and get a connection to a database using a datasource other than the DefaultDS and it is somehow going to the driver defined for the DefaultDS.

Create a security domain, I used the BaseCertLoginModule. Then have two datasources setup, one that is named 'DefaultDS' and one that is named something else 'AnotherDS'. Configure each data source with a different driver. When you get inside a bean get the 'AnotherDS' and call getConnection, then call something like prepareStatment. Sit back and watch the driver for the 'DefaultDS' get called.

Something seems to be getting corrupted in JBoss when you use @SecurityDomain or when you set-up the context specific stuff for use with the security domain i.e. Context.SECURITY_PRINIPAL..

here is some of my code:

oracle-ds.xml (DefaultDS)
<datasources>
<local-tx-datasource>
<jndi-name>DefaultDS</jndi-name>
<connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
<driver-class>com.example.driver.ProxiedOracleDriver</driver-class>
<user-name>defaultds</user-name>
<password>defaultds</password>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle10g</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>

A different DS with a different driver

<datasources>
<local-tx-datasource>
<jndi-name>AnotherDS</jndi-name>
<connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<user-name>anotherds</user-name>
<password>anotherds</password>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle10g</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>

login-config.xml

<policy>
<application-policy name="client-cert">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="securityDomain">java:/jaas/client-cert</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy name="ASecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/client-cert</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
<module-option name="unathenticatedIdentity">guest</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="restore-login-identity">true</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>

</policy>

Code in an EJB to get db stuff:
@Clustered
@Stateless
@Local(SecurityService.class)
@LocalBinding(jndiBinding="/ejb/SecurityRef")
@SecurityDomain(ASecurityDomain)
public class SecurityBean {
@Resource(mappedName="java:/AnotherDS")
private DataSource ds;

public Interger testDB() {
Connection dbConn = ds.getConnection();

PreparedStatement pStmt = dbConn .prepareStatement("select count from some_table");
ResultSet rs = pStmt.executeQuery();
rs.next();
return new Integer(rs.getInt(1));
}

Code in servlet to call EJB:
X509Certificate cert = null; /* get cert here */
Properties env = new Properties();
env.put(InitialContext.PROVIDER_URL, "jnp://server:1100");
env.put(InitialContext.SECURITY_PRINCIPAL, cert.getSubjectX500Principal());
env.put(InitialContext.SECURITY_CREDENTIALS, cert);
env.put(InitialContext.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
InitialContext cxt = InitialContext(env);
SecurityService security = (SecurityService) cxt.lookup("/ejb/SecurityRef");
Integer result = security.testDB();