The StatefulSessionInstanceInterceptor is pushing the security context using the legacy SecurityAssociation.setPrincipal()/setCredential() methods and although this has no affect on the authentication/authorization of the caller, it does have a side effects on the callee's security context that shows up in custom security integration code that is trying to use the SecurityAssociation state. The StatefulSessionInstanceInterceptor needs to be consistent with the other interceptors with regard to management of the security context stack.