Version 4

    Adrian Brock's Comment:

    This is not correct. RunAs is about authorization NOT authentication.







    From an MDB with a correctly configured run-as attribute - the role configured in run-as has sufficient rights to access your SessionBeans and EntityBeans - you get

  Password Incorrect/Password Required


    or else something like


    ...SecurityException: username=null


    when trying to call a method on a secured SessionBean/EntityBean.








    In login-config.xml you have to add


    <login-module code = ''
                  flag = 'required'>


    to the stack of login modules in the application-policy you use to secure your SessionBeans/EntityBeans.