Description of problem: I am working with a customer that is running into an issue with security-context propagation when using the @Oneway annotation. Using the @javax.jws.Oneway annotation on a web service ejb causes the request to be handled by a new thread. Unfortunately, the security-context does not appear to be getting copied to the new thread that handles the request. This results in calls to secured EJBs failing.
To reproduce this issue, build a secured EJB3 web service and annotate a method with @RolesAllowed and @Oneway. The thread that starts the request will be authenticated and assigned roles correctly, but the security-context is not copied to the thread that handles the oneway call. This will result in an invalid user / permission denied issue.
Verified with EAP 6.4.19.CP.CR1