When the checkWithPolicy method is called by the EJBJACCPolicyModuleDelegate class during authorization, the current roles are always determined using the caller principal even when a runAs principal exists. As a result, if the @RunAs annotation is used, the current roles will only include those of the caller principal, and those specificed in the @RunAs annotation will be ignored when authorization is performed.
Acknowledgements: This issue was discovered by Zbyněk Roubalík of Red Hat.
Statement: Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/