I can't find something to explicitly state this in the spec so i was hoping someone could set me straight. MDBs have no clients so the app assembler cannot set its <security-identity> to <use-caller-identity>. (section 21.3.4 of spec). Does that mean that the MDB will throw exceptions when it attempts to call another bean's methods, if the MDB's <security-identity> is not set to a <role-name> (using <run-as> of course) with sufficient authority? If so, you would only need to specify a MDB's <security-identity > element if it called another bean.
According to the EJB specification 2.0, a MDB may only provide a run-as element within its security-identity element, use-caller-identity being forbidden for an MDB. The specification further states that "The run-as identity establishes the identity the enterprise bean will use when it makes calls." What happens if you specify use-caller-identity in the security-identity element is container specific in my opinion. Logically, the container should prevent the MDB from being deployed if such a case happens. But, I firmly doubt that an exception would be raised at runtime as this would imply that the deployment was successful even though the deployment descriptor did not satisfy the specification which is a must for all EJB container implementors. [ April 02, 2004: Message edited by: Valentin Crettaz ]