I am experiencing a similar (identical?) bug that was reported in http://jira.jboss.com/jira/browse/JBAS-1852?page=com.cenqua.fisheye.jira:fisheye-tabpanel and reported fixed in JBoss 4.0.3.

I access a session bean twice from the web tier, as an unauthenticated user. The session bean function is basically a wrapper to ctx.isCallerInRole(roleName). On the second time that function is called I get

javax.security.auth.login.FailedLoginException: No matching username found in Principals

On the first call, there is no problem. Setting the unauthenticatedIdentity option does not help.

I have tried both 4.0.4GA and 4.0.5GA and the problem is still there. I wanted to do a sanity check before filing a JIRA report. Any comments?