We've observed a bug where SessionContext.getCallerPrincipal() inside a stateless EJB returns "anonymous" even when the EJB is invoked with a valid run-as principal. This behavior is inconsistent with the Jakarta EE specification and causes a TCK test failure.

Environment

• WildFly Version: WildFly 35.0.1.Final

• Java Version: OpenJDK 17

• TCK: Jakarta EE 10 EJB TCK

Steps to Reproduce

1. Create an EAR file containing a Servlet and a stateless EJB.

1. Annotate the Servlet with @EJB to inject and call the EJB.

1. Annotate the EJB with @RunAsPrincipal("javajoe") to change the caller principal.

1. Inside the EJB's business method, log the result of sessionContext.getCallerPrincipal().getName().

1. Access the Servlet and observe the EJB log output.

Expected Behavior

The sessionContext.getCallerPrincipal().getName() should return "javajoe". The Elytron security framework correctly identifies the run-as principal, so the SessionContext should reflect this change.

Actual Behavior

The sessionContext.getCallerPrincipal().getName() returns "anonymous". This indicates a failure in propagating the run-as principal from the Elytron security context to the EJB's SessionContext.

Additional Information

• The debug logs show that Elytron's internal SecurityIdentity is correctly set to "javajoe".

• The issue persists even when using XML deployment descriptors (ejb-jar.xml and jboss-ejb3.xml) instead of annotations.

• This problem does not occur on other application servers, suggesting a WildFly-specific bug in the EJB and Elytron integration.