We are deploying an ear and a war on JBoss 7 AS. We are able to login to the application (ear) and conduct transactions. We use the SecurityContextAssociation to set the principal. We access the web application from a browser. After doing this, our application throws exception. This is because EJBContext.getCallerPrincipal() no longer returns an instance of our principal but jboss SimplePrincipal . On debugging, we found that the call to the web server is setting a new SecurityContext. It's been done by SecurityContextAssociationValve.
How can we prevent the SecurityContext from getting cleared and a new one being set when the web application is accessed ?