I'm using my own login module since 2.x. One special feature of this module is that the principal returned after successful authentication is not the user name. It is a special id associated with the user name (yes, this does make sense, actually it is common practice: think of Unix, your user id is independant of your login name which allows you to change your name [e.g. marry] without having to change the owner of all your files afterwards; the same applies here: if a user name changes, I do not want to create a new user and copy the role assignments from the "old" to the "new" user).
When upgrading from 3.2.5 to 3.2.6, my module didn't work anymore. I tracked things down and found that the result of the name callback issued in my login module now depends on the invocation context. When my login module is invoked by the web tier (step 1), I get the username as it was entered in the browser's username/password prompt. Later, when the web tier (i.e. servlet) tries to invoke ejbs' methods (step 2), the ejb container invokes my login module again. But now I get the name of the principal returned by my login module during step 1, not the user name entered by the user in the authentication dialog. Before 3.2.6, I got the user name here as well.
Can anybody tell me if I should submit this as bug or consider it a feature (though I cannot really see why)?