b930b8
@@ -21,8 +21,6 @@
  */
 package org.jboss.as.ejb3.security;
 
-import static java.security.AccessController.doPrivileged;
-
 import java.security.PrivilegedAction;
 
 import javax.ejb.EJBAccessException;
@@ -31,6 +29,8 @@
import org.jboss.invocation.Interceptor;
 import org.jboss.invocation.InterceptorContext;
 import org.jboss.security.SecurityRolesAssociation;
 
+import static java.security.AccessController.doPrivileged;
+
 /**
  * Establish the security context.
  *
@@ -45,16 +45,26 @@
public class SecurityContextInterceptor implements Interceptor {
         this.pushAction = new PrivilegedAction<Void>() {
             @Override
             public Void run() {
+                holder.securityManager.push(holder.securityDomain);
                 try {
-                    holder.securityManager.push(holder.securityDomain);
                     if (holder.skipAuthentication == false) {
                         holder.securityManager.authenticate(holder.runAs, holder.runAsPrincipal, holder.extraRoles);
                     }
                     if (holder.principalVsRolesMap != null) {
                         SecurityRolesAssociation.setSecurityRoles(holder.principalVsRolesMap);
                     }
-                } catch (SecurityException e) {
-                    throw new EJBAccessException(e.getMessage());
+                } catch (Throwable t) {
+                    // undo the push actions on failure
+                    if (holder.principalVsRolesMap != null) {
+                        // clear the threadlocal
+                        SecurityRolesAssociation.setSecurityRoles(null);
+                    }
+                    holder.securityManager.pop();
+
+                    if (t instanceof SecurityException) {
+                        throw new EJBAccessException(t.getMessage());
+                    }
+                    throw t;
                 }
                 return null;
             }
@@ -62,10 +72,11 @@
public class SecurityContextInterceptor implements Interceptor {
         this.popAction = new PrivilegedAction<Void>() {
             @Override
             public Void run() {
-                holder.securityManager.pop();
-                if(holder.principalVsRolesMap != null){
-                    SecurityRolesAssociation.setSecurityRoles(null);//Clear the threadlocal
+                if (holder.principalVsRolesMap != null) {
+                    // Clear the threadlocal
+                    SecurityRolesAssociation.setSecurityRoles(null);
                 }
+                holder.securityManager.pop();
                 return null;
             }
         };
