In the case where this IS an error, I see the org.jboss.security.jacc.DelegatingPolicy class (and the implies() API) come into play, while in the other (working) case, I see the ContextPolicy and the implies() API in that class come into play...

So, there is definitely some difference but whether or not this is what is causing the problem, I don't know at this point :(

public boolean implies(ProtectionDomain domain, Permission permission)
 {
 // Check the
 boolean isJaccPermission = permission instanceof EJBMethodPermission
 || permission instanceof EJBRoleRefPermission
 || permission instanceof WebResourcePermission
 || permission instanceof WebRoleRefPermission
 || permission instanceof WebUserDataPermission;
 boolean implied = false;
 // If there are external permission types check them
 if( isJaccPermission == false && externalPermissionTypes.length > 0 )
 {
 Class pc = permission.getClass();
 for(int n = 0; n < externalPermissionTypes.length; n ++)
 {
 Class epc = externalPermissionTypes[n];
 if( epc.isAssignableFrom(pc) )
 {
 isJaccPermission = true;
 break;
 }
 }
 }

 if (isJaccPermission == false)
 {
 // Let the delegate policy handle the check
 implied = delegate.implies(domain, permission);
 }
 else
 {
 if (trace)
 {
 log.trace("implies, domain=" + domain + ", permission=" + permission);
 try
 {
 Subject caller = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
 log.trace("implies javax.security.auth.Subject.container: "+caller);
 }
 catch(Throwable e)
 {
 log.trace("Failed to access Subject context", e);
 }
 }
 String contextID = PolicyContext.getContextID();
 ContextPolicy contextPolicy = (ContextPolicy) activePolicies.get(contextID);
 if (contextPolicy != null)
 implied = contextPolicy.implies(domain, permission);
 else if (trace)
 log.trace("No PolicyContext found for contextID=" + contextID);
 }
 if (trace)
 {
 log.trace("implied=" + implied);
 }
 return implied;
 }

Principal[] principals = domain.getPrincipals();