We are using remote EJB calls and are finding role information being lost.

I have traced this to our use of JAAS authentication for the ApplicationRealm security realm

Within the handle() method of JaasCallbackHander it stores the current Security context at that point (via securityManager.push())

It then calls securityManager.authenticate() which results in login modules being called. We use the ClientLoginModule which stores information on the SecurityContext via SecurityAssociationActions.setPrincipalInfo

After authentication the JaasCallbackHandler calls securityManager.pop() which resets the SecurityContext back its state before authentication - thus losing the context set in the ClientLoginModule.

This only occurs via a remote ejb call, not via a call made from the web tier (as it does not use JaasLoginHandler)

Ideally I'd like some way to stop the JaasCallbackHandler reseting the SecurityContext (even if it was incredibly simple by checking for an attribute on the current security context)

The same operations work in EAP 6.3 / JBoss 7.2