When @RunAs is used, Principal returned from SessionContext.getCallerPrincipal() is "anonymous". This is contrary to the EJB2.1 spec, section 21.2.5.1 Use of getCallerPrinicpal:

"Note that getCallerPrincipal returns the principal that represents the caller of the
enterprise bean, not the principal that corresponds to the run-as security identity for the bean, if any."

On the next page of the spec is an example of how to use getCallerPrincipal() which will break in JBoss if you apply @RunAs to the ejb method.

It looks like the problem is that SecurityAssociation.getCallerPrinicpal() is simply a cut-and-paste of SecurityAssociation.getPrincipal().