I had posted before regarding what I perceived as a bug in JbossWS such that upon each invocation of a web service, the subject would be reauthenticated, negating any value the JAAS authentication cache provides and introducing a potentially time/resource consuming requirement.
I was able to solve this by creating a transport specific handler that will call SecurityAssociation.setPrincipal with the result of getUserPrincipal() from the HttpServletRequest object retrieved through the MessageContext.
This is in contrast to the ServerLoginHandler (configured by default) which always calls SecurityAssociation.setPrincipal with a new SimplePrincipal(), which always results in cache miss.
Calling getUserPrincipal() leverages the work tomcat already does to remember and reassociate the user's cached principal with the request.
I am still hopeful there is a better solution, but this is the best I could come up with. Any suggestions?