Farah Juma created ELY-410: ------------------------------ Summary: Add the ability to check if the caller has RuntimePermission("setRunAsPermission") when creating a RunAs identity Key: ELY-410 URL: https://issues.jboss.org/browse/ELY-410 Project: WildFly Elytron Issue Type: Enhancement Components: API / SPI Reporter: Farah Juma Assignee: Farah Juma Currently, there's a difference between Elytron and PicketBox in the behaviour of a run-as-principal operation. In particular, Elytron's {{SecurityIdentity#createRunAsIdentity()}} always attempts to authorize a run-as-principal operation, which means that a user needs to be granted the {{RunAsPrincipalPermission}} via a custom {{PermissionMapper}} in order to run as the given principal (even to run as the anonymous principal). However, PicketBox only performs an authorization check in this case if the security manager is enabled and the check itself seems to be a bit different - PicketBox just checks the caller has {{"setRunAsPermission"}}, which is a {{RuntimePermission}} that doesn't depend on the given principal. -- This message was sent by Atlassian JIRA (v6.4.11#64026)