<div dir="ltr">On Wed, Apr 26, 2017 at 6:19 PM, Romain Manni-Bucau <span dir="ltr"><<a href="mailto:rmannibucau@gmail.com" target="_blank">rmannibucau@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><span class="gmail-"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="gmail-m_279778455011069846m_6765061379480428475gmail-"><div>Here you can get a PrincipalFacade which limits MyPrincipal to getName() only, this is perfectly valid per spec.<br></div></span></div></div></div></blockquote><div><br></div></span><div>Nope, I spec'ed this such that securityContext.getCallerPrinc<wbr>ipal() MUST return the *exact* principal type that was set by the authentication mechanism.</div></div></span></div></div></blockquote><div><br></div><div>Yep and my statement is still true. You can still wrap the context in a filter and break that so a user can't rely on it.</div></div></div></div></blockquote><div><br></div><div>I'm not sure if I understand that correctly. You can't really wrap the security context in a filter. The security context is a CDI bean, not an instance that's passed along from one filter to the other.</div><div><br></div><div>You can decorate the context and then return whatever from the getCallerPrinc<wbr>ipal() method, but that doesn't mean the original getCallerPrinc<wbr>ipal() method doesn't return what it's spec'ed to return, is it?</div><div><br></div><div>Kind regards,</div><div>Arjan Tijms</div></div></div></div>