Security Question about Handle class

If an Handle is saved and passed to another application or was stolen,
With the handle one can call getEJBObject and narrow it to a specific component
interface. EJB spec does says that the any attemp to invoke a method on the obtained ejb is subject to the security check.
My question is which PRINCIPAL the ejb container will try to check against. The process to obtain such a EJBObject does not involves programmatically passing any new caller's credentil to container. Does this indicate that it is the oringal principal who created the handle object will be recognized by the container? Is so,whomever got the handle will be able to invoke ejb method on behalf of the creator of the handle.
For me this demonstrate both a security hole or a extended security model for ejb clients.
Any idea?
Thanks,

Well ia ma not too sure of this...
But certainly the Container before giving u back the Stub on yr Handles getEJBObject() method, will have a look at the users credential asking for the same.
The handle as we all know is a intellegent object....it might store some security information aswell(As to what role it belongs to).
If it passes that information to the container while asking for the EJBObject....and the container sees that the current User and the user who intially got the Handle serialised Object are not the same User(Principal), then i guess u will never get to call methods on the same EJBObject....
Not too sure whether i am right...

The spec says the following about the getCallerPrincipal
An enterprise may have a complex security infrastructure that includes multiple security domains. The security infrastructure may perform one or more mapping of principals on the path from an EJB caller to the EJB object. For example, an employee accessing his or her company over the Internet may be identified by a userid and password (basic authentication), and the security infrastructure may authenticate the principal and then map the principal to a Kerberos principal that is used on the enterprise�s
intranet before delivering the method invocation to the EJB object. If the security infrastructure performs principal mapping, the getCallerPrincipal() method returns the principal that is the result of the mapping, not the original caller principal. (In the previous example, getCallerPrincipal() would return the Kerberos principal.) The management of the security infrastructure, such as principal mapping, is performed by the System Administrator role; it is beyond the scope EJB specification.
I wonder when making a handle I can map it to someone else's Principal object so that the other person can use it?