I am developing a multi-threaded MBean that will access a session bean on JBoss 3.0.1. As long as I've been using declarative security, everything was working fine. I have now switched to using programmatic security (getCallerPrincipal and isCallerInRole) in the session bean. In my priviledge checking routine, I call getCallerPrincipal and see that the user I am checking is set properly, and when I call isCallerInRole, it generally comes back with the expected 'true'.

However, when I am making these calls from a different thread in the MBean, it *sometimes* fails. The getCallerPrincipal is correct, but isCallerInRole fails. I traced the problem as far as org.jboss.ejb.EnterpriseContext, where I see that the 'principal' value in isCallerInRole is 'null'. The 'beanPrincipal' value, used by getCallerPrincipal, is the expected value. However, since isCallerInRole uses 'principal', the call always fails.

So, can anyone tell me why getCallerPrincipal returns 'beanPrincipal', bu isCallerInRole checks 'principal'? What's the difference here. I replaced the usage of 'principal' with 'beanPrincipal' in isCallerInRole, and now security works as expected.

Any clues? Have I found a bug? Or is there something I need to do special in a multi-threaded MBean that I'm missing?

TIA,
- Bill