I am experiencing following behaviour when using custom JACC provider with 4.0.3 (I have done configuration JaasAuthenticationInterceptor, JaccAuthorizationInterceptor JBoss plugins, JaccAuthorizationRealm in Tomcat sar, and other settings for JACC provider):
1a) during call from a "runAs" configured EJB to another EJB the javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container") method returns subject populated with a SimplePrincipal that contains the "runAs" role name, not the "runAs" principal configured in jboss.xml for the EJB.
1b) during call from a "runAs" configured servlet to EJB the javax.security.jacc.PolicyContext.getContext("javax.security.auth.Subject.container") method returns subject with no principal although the servlet has the "runAs" principal configured in jboss-web.xml.
However the internal SecurityAssociation.getCallerPrincipal() does return the configured "runAs" principal at least in the EJB container.
JACC 1.0 specification chapter 22.214.171.124 says caller's or runAs identity should be returned, but I am not sure what is meant by it. I am trying to control access to components based on identity, e.g. username of the user that is authenticated and in case of "runAs" on the principal configured for the "runAs" role.
2) when EJBContext.getCallerPrincipal() is called in an EJB that is called from an EJB with configured "runAs" role the principal I am getting is the principal that has authenticated to the container, not the principal associated with the "runAs" role. However, if the caller is NOT authenticated to the EJB container the same call returns principal that IS associated with the "runAs" role. I am using custom login module not inherited from JBoss abstract login modules.
3) the call to SessionContext.isCallerInRole(String roleName) does not consult the JACC provider. IMO it should check for the EJBRoleRefPermission. The servlet container seems to be working OK, i.e. the call to HttpServletRequest.isUserInRole(String role) consults the JACC provider for WebRoleRefPermission.