Adrian Brock's Comment:
This is not correct. RunAs is about authorization NOT authentication.
From an MDB with a correctly configured run-as attribute - the role configured in run-as has sufficient rights to access your SessionBeans and EntityBeans - you get
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
or else something like
when trying to call a method on a secured SessionBean/EntityBean.
In login-config.xml you have to add
<login-module code = 'org.jboss.security.ClientLoginModule' flag = 'required'> </login-module>
to the stack of login modules in the application-policy you use to secure your SessionBeans/EntityBeans.