> Is JBoss's implementation J2EE complient?
Yes. The J2EE specification does not say how the programmatic login to a J2EE component should be made. This is application server specific.
JBoss has the client-login module that attaches
the subject to the thread.
JBoss currently does not use JAAS for authorization
only for authentication, this is planned jboss4.
I am using the latest release JBoss App Server 4.0.5 GA. The JAAS/doAs behavior described in this article is still present in 4.0.5. Is there any new plan to fix this behavior?