+1 Recently looking at how different JDBC driver vendors, and different
JDK vendors interpret the use of JAAS for Kerberos propagation there are
a lot of different interpretation of the same spec / APIs!!
JAAS, and especially JAAS in Java EE, is not the universal standard you may think it is. Some parts are interpreted differently, but other parts are just not specified. How to store a username and roles in the "bag of principles" that the Subject is, is particularly notorious. I wrote a post about that subject (no pun) here: http://arjan-tijms.blogspot.com/2014/02/jaas-in-java-ee-is-not-universal.html
I wonder btw if any of the work done for this WildFly Elytron project (and previous work done for Picketbox/link) could possibly be used for feedback on how to improve the security APIs in Java EE itself. Has this ever been considered?