What would be the best approach to support this scenario?
Precondition: On the client side, the SecurityInterceptor is not part of the interceptor stack, because the principal and credentials of the SecurityAssociation are not relevant when doing client certificate authentication. This leaves the the principal and credentials of the Invocation object with null values.
If we move on to the server side, we could configure a login-config with CLIENT-CERT in the deployment descriptor for invoker.war. Then after a successful client login, JBossSecurityMgrRealm will set the princial and credentials (a certificate chain) of the SecurityAssociation. Now, one possible approach is to check in the InvokerServlet if the MarshalledInvocation has a null principal and credential. If so, and if the SecurityAssociation contains a principal and a credential, we could take the values from the SecurityAssociation and set the values on the MarshalledInvocation. Would that be an idea that is worth following?
Yes, and you would need a ClientCertLoginModule in the ejb security domain config to validate the cert credential.