Hi James,
As per spec:
Invoking the getCallerPrincipal and isCallerInRole methods is disallowed in
the session bean methods for which the Container does not have a client security context.
For a SFSB instance there is a client security context when Container executes
ejbActivate/ejbPassivate as stateful session bean is always associated with a particular client since its creation (i.e. since an instance of the bean has been created with the call to
ejbCreate method)
Therefore, one can invoke security related methods on
SessionContext when Container passivates/activates an instance of SFSB.
Alex (SCJP 1.4, SCBCD 1.3, SCWCD 1.4, SCJD 1.4)