Why Elytron not exposing any method for changing the securityIdentity or Principal programatically?

[Arulkumar Ponnusamy]

Hi all,

am in the process of migrating my application from wildfly 24 to 26.1.3 and our application supports multiple way of authentication like, ldap, local user in DB, SAML etc. In Wildfly 26.x, For ldap and local user, we are using the FORM based authentication using JAAS Realm and everything works fine. 

our application, heavily really on logged in user to fetch user specific information. we used to achieve this using legacy security using picketbox. However, in Elytron, we do achieve this by using either

SecurityDomain.getCurrent().getCurrentSecurityIdentity().getPrincipal() or

(EJB)SessionContext.getCallerPrincipal().

However, the above methods returns the correct logged in users only if it is authenticated via application.

So, in case of REST API, SAML or CLI(SSH) etc, it does not go via application authentication because it is not applicable for form based. So, after authentication, we unable to set the securityIdentity or the prinipal to the current security domain so that it will be available further in the application to use it.

Tried the following approach, but none of them working.

SecurityDomain.getCurrent().

createNewAuthenticationContext().setAuthenticationPrincipal(tp)

SecurityDomain.getCurrent().createAdHocIdentity()

we use to have " org.wildfly.security.auth.server.SecurityIdentityAssociation;" class which allowed to set the principal programmatically, but it was removed latest version.

So, want to understand the rational behind this design. is there a way to achieve our use cases in elytron by writing custom code?

any input on this is much appreciated.

Thanks

Arulkumar P