The getCallerPrincipal() method has been improved to always return the username used to login.

Now any LoginModule implementation can use the new @CallerPrincipal annotation to flag the Principal object they want to be the one returned from getCallerPrincipal() method. The security service will iterate over the Principal objects in the current Subject and return the first one that is annotated as @CallerPrincipal. If no Principal is found with the @CallerPrincipal annotation, the security service will return the first Principal in the Subject as before. All the OpenEJB supplied LoginModules have been updated to use this new annotation.

If you have implemented your own LoginModule, here's an example of a Principal implementation that uses the new annotation:

import org.apache.openejb.spi.CallerPrincipal;

public class UserPrincipal implements {

    private final String name;

    public UserPrincipal(String name) {
        if (name == null) throw new IllegalArgumentException("name cannot be null"); = name;

    public String getName() {
        return name;

    // don't forget to implement equals() and hashCode()