It is not mandatory that principal that corresponds to run-as-identity for the bean should be same as principal that represents the caller of the bean.
In fact, the only reason for using a run-as-identity, is to perform subsequent bean invocations under a new principal / security role.
You may have a look at the code example in the following link: The principal that represents the caller of ABean has role "Guest" (at least if he should be allowed to invoke aMethod) while the run-as-identity corresponds to a principal with role "Admin".
SCJP 5 (98%) - SCBCD 5 (98%)
posted 11 years ago
Sorry it's my mistake, I forgot the first rule of cert preparation.
"Read options carefully."
run-as-identity is @RunAs, I did not read & applied my mind carefully.