TomcatSecurityService overrides SecurityService's getLogicalRoles() method to handle his known principal types: TomcatUser and RunAsRole. However, it ignores other principals. The default behavior of SecurityService is to grant roles when the principal name matches the logical role name.] In practice, this will allow TomcatSecurityService to grant the "guest" role when no user is logged in.
I've created https://issues.apache.org/jira/browse/OPENEJB-1120 with a patch to fix it. There is also an old thread where I had already discussed this subject with David: http://old.nabble.com/Unauthenticated-principal-td21012809.html However, here I've applied the sentence: "enough talking, show me the code" ;) Luis Fernando Planella Gonzalez
