security propagation from JAAS context to EJB question