I'm trying to migrate a Seam 2.3 application to CDI+PicketLink, but I can't find a replacement for Seam's RunAsOperation in PicketLink.  (Shiro has a similar function in Subject.runAs, but only for authenticated users.)  How can I achieve the effect of impersonating an account temporarily, eg to perform an operation as Admin, or to impersonate, in a worker thread, the user who triggered a background job? 

So far the only option I can think of is to subclass the internal class org.picketlink.internal.AbstractIdentity so that I can override getAccount(), isLoggedIn() and hasPermission() to use a temporary ThreadLocal Account instead of this.account.  But I'd really prefer not to do that!