public RunAsListener() 
{
    
      this.metaData = metaDataLocal.get();
}

 public  void instanceEvent(InstanceEvent event) 
{
      Wrapper servlet = event.getWrapper();
      String type = event.getType();
      if (servlet != null && metaData != null)
      {
         boolean trace = log.isTraceEnabled();
         String name = servlet.getName();
         RunAsIdentityMetaData identity = metaData.getRunAsIdentity(name);
         RunAsIdentity runAsIdentity = null;
         if(identity != null)
         {
            runAsIdentity = new RunAsIdentity(identity.getRoleName(),
                  identity.getPrincipalName(), identity.getRunAsRoles());
         }
         if (trace)
            log.trace(name + ", runAs: " + identity);
         // Push the identity on the before init/destroy
         if( type.equals(InstanceEvent.BEFORE_INIT_EVENT)
            || type.equals(InstanceEvent.BEFORE_DESTROY_EVENT)
            || type.equals(InstanceEvent.BEFORE_SERVICE_EVENT) )
         {
            ensureSecurityContext();
            SecurityAssociationActions.pushRunAsIdentity(runAsIdentity);
         }
         // Pop the identity on the after init/destroy
         else if( type.equals(InstanceEvent.AFTER_INIT_EVENT)
            || type.equals(InstanceEvent.AFTER_DESTROY_EVENT) 
            || type.equals(InstanceEvent.AFTER_SERVICE_EVENT))
         {
            ensureSecurityContext();
            SecurityAssociationActions.popRunAsIdentity();
         }
      }
}

Push the run-as identity on the before init/destroy, pop it on the after init/destroy events.