I've implemented a JEE application for JBoss AS 7.1.0, which now runs in WildFly 10.1.0 Final.
In this application I've configured legacy security with a custom login module, returning a custom principal.
In this application I've some batches which need to act on behalf of users, because they call EJB methods either secured by @RolesAllowed annotations and implementing some checks on the logged principal (name, userID and so on).
The only way to accomplish this behavior is using JBoss' org.jboss.security.ClientLoginModule, which requires that both username and password are known during batch execution, which forces me to store password in plaintext on DB, in order to retrieve and use them.
Since storing password in plaintext is the not good at all, I was wondering if there is another option for impersonating a user without knowing its password, for example logging in programmatically as admin and then impersonating userX.
Thank you for any suggestion.