I would like to understand how does jboss Wildfly 10 propagate the logged in Subject/principals across an ear application.

Specifically, I noticed the SecurityContextInterceptor triggers a jaas authentication, passing the user principal and password stored in its private context. This happen when calling an EJB from an integration test war through Arquillian, when the user is already logged in in the war.

To better explain the context, we are porting an application from Glassfish 3.1 to wildfly 10. We have a custom jaas login module and rely on the principal instance set in the subject. e.g., if we return a principal instance A on the first authentication in the jaas module, we expect it to be retrieved from the PolicyContext in all ear modules. What happens is that different instances are set in different contexts as additional jaas authentication occurs when calling EJBs. I'm not sure it is expected.

To resume:

Do the principals set in the subject of a jaas login module propagate to all modules of an ear application? If not, why? And is there a way to configure wildfly to do so?

Thanks,

Charly