We are trying to get this working in JBoss EAP 6.2 but for the moment we haven't been able to find the reason why it is failing.

In our application, super users are able to decide which role they want to use after login in the application. So first the user will have a role and then we want to change it. For this we are doing the following:

Subject sub = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
for (Principal p : sub.getPrincipals()) {
   if ("Roles".equals(p.getName())) {

   SimpleGroup group = (SimpleGroup) p;
   group.removeMember(new SimplePrincipal(CONSTANT_SUPER_USER));
   group.addMember(new SimplePrincipal(authorizationRole));

   }
}

This is actually changing the role in the Subject. But afterwards when the authorization is being checked we get the following in the server's log:

[org.apache.catalina.authenticator] (http-/0.0.0.0:8080-11) We have cached auth type LOGIN for principal GenericPrincipal[userName(superuser,)]

As you can see, it is still getting the old value after modifying it. We are using our own class extending SimplePrincipal.

Checking the content of Faces.getRequest() we have seen that the request contains an userPrincipal of type JBossGenericPrincipal and inside it, it contains our extended SimplePrincipal. Checking both of them we have seen that:

JBossGenericPrincipal.roles contains superuser

JBossGenericPrincipal.subject.principals contains the modified SimpleGroup with the new authorization role

Just for your information, we had this working on Wildfly first and it worked perfectly, but we had to change to JBoss and found that this wasn't working properly. So we think it has to be something related to this specific JBoss version.

Has someone faced this problem? Any idea why this might be failing? I guess we have to put the correct role in JBossGenericPrincipal.roles but how?

Any help is appreciated. Thanks!