Hi! I was trying to test security in jBoss and found out, that if client does not logon to jBoss via LoginContext() getCallerPrincipal() inside invoked beans' methods returns null. 15.2.5 of EJB1.1 spec says: " ... The Bean Provider can invoke the getCallerPrincipal and isCallerInRole methods only in the enterprise bean’s business methods for which the Container has a client security context, as specified in Table 2 on page 60, Table 3 on page 70, and Table 4 on page 111. If they are invoked when no secu-rity context exists, they should throw the java.lang.IllegalStateException runtime excep-tion. " So I'm expecting at least IllegalStateException. Additionally, even J2EE API documentation states, that getCallerPrincipal() NEVER returns null: EJBContext.getCallerPrincipal " The Principal object that identifies the caller. This method never returns null. " Anybody knows whether this is bug in jBoss? Alexander Klyubin -- -------------------------------------------------------------- To subscribe: [EMAIL PROTECTED] To unsubscribe: [EMAIL PROTECTED] List Help?: [EMAIL PROTECTED]