We've started moving our application from 3.2.5 to 4.0.2 and I've encountered a problem with the way subjects are propagated in the presence of a run-as identity:
I have a stateless session bean configured with a run-as role to allow it to access the model layer of the application. In 3.2.5, calls made from this session bean propagated the Subject (with the run-as role instead of the callers role) to the callee, i.e. from the callee I could say
SecurityAssociation.getSubject()
SecurityAssociation.getSubject()
SecurityAssociation.getCallerPrincipal()