Seemapanth,
There are two things that I am not clear here.
1.What are the scenarios where there can be multiple clients that can arrive in a single transaction? I can only imagine of a bean calling other bean for some services in a same transaction. (Let me know if there are others too). If that is the case usually the security context passed by the initial client may be retained until the transaction is over.
2.In context to above, a bean can change its security context by using the <run-as> element in DD and becoming a different principal than the calling client�s principal. This means that that in the same transaction it is possible to change the security context by different calling clients.
In options C:
�Transactional requests within a single transaction cannot arrive from multiple clients.�
It is not mentioned that the multiple clients have same security context or different. If the option C was
�Transactional requests within a single transaction cannot arrive from multiple clients having different security context�
Then the option C should be false as per the specification stated above by you. And if C was
�Transactional requests within a single transaction cannot arrive from multiple clients having same security context�
Then C is true.
But as in point 1, beans can change there security context within a single transaction, so either the specs is wrong or the <run-as> element has something more to it that I am missing.
Thanks,
Rahul
