I've created an EJB3 application with some JPA entities. Some of these entities have the notion of ownership. These entities have the getOwner() method, which returns the principal name of the subject that once created the entity (via sessionContext.getCallerPrincipal().getName()).

What I would like to do now is to perform ownership checking via a JPA entity listener.

Thus I login the user via JAAS "client-login" in a servlet filter, my JAAS login module sets the principal and "Roles" group on the subject and then the user can continue to update the entities which he owns. The ownership listener has a @PreUpdate method and here I would like to do the ownership checking.

For this I can use the SecurityAssociation.getPrincipal() which gives me the current caller principal as expected. The thing is that I would like to be as JBoss independent as possible. Thus I would like to use JACC. Via PolicyContext.getContext("javax.security.auth.Subject.container") I can retrieve the Subject from within the entity listener, but on this subject I only have a SimplePrincipal with name "guest", and of course the SimpleGroup "'Roles". I checked this out and even SecurityAssociation.getSubject.getPrincipals() only has "guest" for SimplePrincipal instead of the real caller principal name, while the SecurityAssociation.getPrincipal() gives back the correct active principal. How come?