We have moved some processing logic to CDI Async Observers however some of the business methods in the observers have some security checks that use securityContext.isCallerInRole(...) to check for specific roles.
Since the securityContext is not propagated with Async threads how can we still enforce application security within the observer? Our Custom HttpAuthenticationMechanism only works in Servlet lifecycle so its not possible to trigger authentication using this mechanism.
I cannot see any way to assign Roles/Groups in an programmatic way and the @RunAs annotation only seems to work for EJBs and not CDI beans
UPDATE:
Ok this actually seems to be a problem with securityContext.isCallerInRole(...) specifically as the Principal is actually set ok in the Async method but isCallerInRole is returning false.
Could be the same issue reported here: https://github.com/payara/Payara/issues/4734 (I am running on Wildfly 26)
Haven't check this in any application server, but according to the CDI 2.0 spec, the container should provide the same security context to the async observer: