Before calling JBoss you need to explicitly do the JBoss client side authentication, ClientLoginModule I think it's called. This will set the correct user for the call.

Since calls from different users will go through the same servlet, you will need to do this for every new request.

You'll also have to remember that client-side login is handled per thread, not per application, nor per user, nor per Subject.

I.e., the correct way is to do the client-side login dance once per HTTP request. Preferrably, right at the beginning. You can (and of course should) cache the user login data, not the principal, but you'll have to tell it to JBoss again for each thread anyway.

If you want to get technical, from what I can tell, client-side login really doesn't do much. Although it may seem that you've logged in and everything, at that point you're _not_ really logged into anything, and your Subject or Principal(s) aren't even worth the bits they're printed on. What client-side login really does is just attach the user name and password to the Thread. (Well, to a ThreadLocal, but same idea.)

The actual authentication will happen on the server, the first time you call an EJB. (And in fact, _every_ time you call an EJB.) When a RMI/IIOP call happens, the RMI implementation looks into the ThreadLocal, and automatically bundles that name and password, if they exist, with the actual EJB call parameters. On the server side, JBoss extracts these extra parameters from the call, and calls the actual (server-side) login module to validate them and obtain an actual Subject and Principal. (These are _not_ the same Subject and Principal as the bogus ones you got when "logging in" client-side.) It's these, not the client-side ones, that will be used for the "declarative security" part and passed to the EJB's as part of the EJBContext.