A custom principal (instead of the JBoss provided SimplePrincipal class) is used to store the authenticated username in a custom login module. The custom principal class is lost when attempting to retrieve it from the subject from within a secured EJB. The custom principal is only lost if it is used to store the username instead of using the JBoss provided SimplePrincipal class. Other instances of the custom principal class are passed along successfully if they are storing something besides the username (SSN, CustomerID, etc).

It looks like this is happening due to a change (introduced in 6.4.6) in the org.jboss.as.security.service.SimpleSecurityManager.authenticate method

@@ -445,8 +408,11 @@ public class SimpleSecurityManager implements ServerSecurityManager

{ auditPrincipal = unauthenticatedIdentity.asPrincipal(); subject.getPrincipals().add(auditPrincipal); authenticated = true; + }

else

{ + subject.getPrincipals().add(principal); }

This change was associated with bz-921217.

This only happens when the EJB is accessed from a remote standalone client. If the EJB is accessed from a secured web app (locally), then the custom principal is not lost.