Hi,
A while back I reported
https://issues.jboss.org/browse/SECURITY-746 and
https://issues.jboss.org/browse/SECURITY-876
746 has been open for a long time, while 876 is relatively new.
Both concern propagation of the authenticated identity from Servlet to EJB,
something which unfortunately has seen bugs in some form of the other for
several years now.
Would really be great if this can be fixed. I provided a possible
workaround for 876, and a reproducer test for both issues. If needed I can
help more.
Kind regards,
Arjan Tijms