Adrian Brock's Comment:

This is not correct. RunAs is about authorization NOT authentication.

Problem:

From an MDB with a correctly configured run-as attribute - the role configured in run-as has sufficient rights to access your SessionBeans and EntityBeans - you get

javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

or else something like

...SecurityException: username=null

when trying to call a method on a secured SessionBean/EntityBean.

Solution:

In login-config.xml you have to add

<login-module code = 'org.jboss.security.ClientLoginModule'
              flag = 'required'>
</login-module>

to the stack of login modules in the application-policy you use to secure your SessionBeans/EntityBeans.