Created attachment 1286513 [details]
Description of problem:
Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.
An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin)
This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.
Steps to Reproduce:
- copy "other" security-domain to "jmx-console"
- deploy SimpleEAR_EJB3.ear
- hit http://localhost:8080/SimpleWar/Hello
Access is denied on GoodBye EJB
Upstream (with PR): https://issues.jboss.org/browse/WFLY-8917
Upstream EAP 7.1: https://issues.jboss.org/browse/JBEAP-11462
Upstream EAP 7.0: https://issues.jboss.org/browse/JBEAP-11632
Upstream WildFly: https://issues.jboss.org/browse/WFLY-8917
Verified with EAP 6.4.19.CP.CR1