I tried to figure out how the container-managed security is handled when the tomcat is running inside the jboss.
1. I found the source code for SecurityAssociationValve. However, I did not see any where this valve is configured in the server.xml and it is clearly used in JBossSecurityMgrRealm
Principal caller = (Principal) SecurityAssociationValve.userPrincipal.get(); if (caller == null && username == null && credentials == null) return null;