I think we kind of fixed it. Got the clue from the security FAQ # 3 (http://www.jboss.org/community/docs/DOC-12198)
Our code creates its own login-config.xml and that one was missing the following from the ClientLoginModule
<!-- Any existing security context will be restored on logout -->
After adding this to the file, the exception is not thrown anymore.
Can anyone explain what exactly this option does or where can I find more info on it.
I will also be reading a little more on JBoss 5.0.0 security.
Something that's interesting is that the custom login-config.xml file created by our tool, works fine wirh JBoss 4.2.3 (without adding the above lines). Only throws exception with JBoss 5.0.0.
The idea is that when you log out, you need to restore the identity of the user that was on the thread path before the ClientLM got involved.
userA----now_I_invoke_ejb_with_userB --- ejb_op ----- userB_logout
Now ClientLM with the option will be set the thread to have userA as the identity.