Created attachment 1286513 [details] reproducer Description of problem: Having an unsecured EJB in the call stack will cause the RunAs identity to get lost. An example might look like this: unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin) This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost. Steps to Reproduce: - copy "other" security-domain to "jmx-console" - deploy SimpleEAR_EJB3.ear - hit http://localhost:8080/SimpleWar/Hello Actual results: Access is denied on GoodBye EJB Expected results: Additional info:
Upstream (with PR): https://issues.jboss.org/browse/WFLY-8917
Upstream EAP 7.1: https://issues.jboss.org/browse/JBEAP-11462 Upstream EAP 7.0: https://issues.jboss.org/browse/JBEAP-11632 Upstream WildFly: https://issues.jboss.org/browse/WFLY-8917
Verified with EAP 6.4.19.CP.CR1