In the specs section 4.3.4 says for each lifecycle callback, that it runs in an unspecified security and transaction context. However, for statefull session beans, according to the table on page 79, we can call EJBContext.getCallerPrincipal() / isCallerInRole(). This would imply that they return valid results, and security context does exist. Also, we can use other beans, resource managers and so on, which would mean there is some transaction context.
Could someone clear this up for me, please?