Using run-as causes anonymous principal to be propagated across EARs and security domains.

I have a MDB in EAR 1 with run-as configured.

It calls a session bean in the same EAR and the reported identity in the target session bean's method is anonymous, which is OK.

The session bean then calls another session bean in another EAR which is in a different security-domain.

A ClientLoginModule is used to authenticate in the other security domain.

Nevertheless, the target bean sees the caller as anonymous, with the role configured as run-as in EAR1.

The same code works OK when run-as is removed from configuration.

I understand that the run-as role with anonymous identity is propagated across subsequent ejb calls, however it should not be propagated when explicit login is used on some other security domain. After all, the whole point of authenticating into a security domain is to establish an identity in that domain. It seems that the newly established identity is ignored in favour of the run-as identity and role propagated from the original security domain.