Ok, so I found various threads (like this one: http://www.jboss.org/index.html?module=bb&op=viewtopic&t=37807 and http://www.jboss.org/index.html?module=bb&op=viewtopic&t=35269).
From what I can tell, the @RunAs annotation is merely specifying the "role" to use, whereas an MDB that calls a secured SLSB will not have a principal. The suggestions seem to be, "Just perform a JAAS login before accessing your SLSB, and you'll be ok".
However, something about this isn't sitting right with me.
1.) If the MDB RunAs annotation is merely providing a role, but no principal, shouldn't the "unauthenticated" identity get used, just with the @RunAs role? This isn't happening, since my unauthenticated identity is "guest" (in login-config.xml), the SecurityAssociation Stack (detailed above) is showing "anonymous" as the principal, and JBAS doesn't care about either....it is simply throwing an IllegalStateException whenever I try to access the principal inside of my SLSB (called from an MDB). (Error: java.lang.IllegalStateException: No valid security context for the caller identity).
2.) If I perform a programmatic JAAS login inside of my MDB, but just before calling my SLSB, everything works fine. However, shouldn't I be able to use the unauthenticated identiy coupled with the RunAs role in this scenario???
Does anybody have any thoughts/opinion about the questions in my second post (above)?
The anonymous or configured run-as principal should be used the same as in the ejb2 mdb case. The current ejb3 security is being refactored to use a common and consistent codebase with the j2ee1.4 behaviors.
I just got bit by this too. Any news on when it will work?