On Wed, Apr 26, 2017 at 6:19 PM, Romain Manni-Bucau <rmannibucau@gmail.com> wrote:

Here you can get a PrincipalFacade which limits MyPrincipal to getName() only, this is perfectly valid per spec.

Nope, I spec'ed this such that securityContext.getCallerPrincipal() MUST return the *exact* principal type that was set by the authentication mechanism.

Yep and my statement is still true. You can still wrap the context in a filter and break that so a user can't rely on it.

I'm not sure if I understand that correctly. You can't really wrap the security context in a filter. The security context is a CDI bean, not an instance that's passed along from one filter to the other.

You can decorate the context and then return whatever from the getCallerPrincipal() method, but that doesn't mean the original getCallerPrincipal() method doesn't return what it's spec'ed to return, is it?

Kind regards,

Arjan Tijms