I understand that JEE Specs report that:
“Propagation of Security Identity in EJB™ Calls” on page 15-176 are available only to threads executing the initial request or when the request is dispatched to the container via the
AsyncContext.dispatchmethod. Java Enterprise Edition features may be available to other threads operating directly on the response object via the
But I cannot understand why I've a non-anonymous principal only in Servlet container and not in the EJB part.
IMHO having a principal in a container (any container), should imply a non-anonymous principal in all the containers associated to the same security domain.
Can you please post the entire exception stacktrace? Also try enabling TRACE level logging of the org.jboss.security package and post those logs too.