You need to implement the security principal/credential leak differently because the fix you provided will not work with older versions of JBoss without patching large parts of it. I think the solution should be done in the aspects security interceptor where, if the principal/credential is in the invocation object, then clear them after the invocation is finished. principal/credentials that live in the invocation means that it was propagated from a remote invocation.