In JBoss AS 6.10 I have annotated a Servlet and MDB with an @RunAS annotation and make a call to a protected session bean (protected via @SecurityDomain or a domain specified in jboss.xml) AND I have a login-module configured in login.config.xml for the same domain.
If a user makes a call to the Servlet and is not authenticated in any way, or the MDB is being triggered, I noticed that in some circumstances my login module is called. The base classes (UsernamePasswordLoginModule and AbstractServerLoginModule) have explicit code for handling unauthenticated logins, and the principal is assigned the "unauthenticatedIdentity" that I configured via a module-option in login.config. In my case this is "guest".
However, in other cases the login module is not being consulted at all, and the principal is assigned the identity "anonymous".
I have been experimenting with various setups, but I can't quite isolate the exact case that makes JBoss consult my login module, and thus why sometimes the identity is "guest" and sometimes it's "anonymous".