Propagate authenticated subject in ElytronSecurityDomainContextImpl

Where an application is deployed using WildFly Elytron security components the Apache CXF integration for the verification of SAML messages is handling this independently of the underlying security infrastructure in use by the application server. This obviously has the issue that WildFly Elytron is not involved in the actual processing but this also leads to the following issues:

With the RFE here we should fill in the gap with the existing Apache CXF / WebServices subsystem and the legacy security system; that means allowing propagating the subject authenticated in the WS/application layer to the Elytron security system in the ElytronSecurityDomainContextImpl. That way an EJB belonging to the same application that processed the SAML message can e.g. access to the proper principal through the SessionContext.

https://github.com/jimma/wildfly/commit/5307f998192caec194d777a704e5249c108e2a1c

Wildfly Elytron SecurityDomain provides createAdHocIdentity(pincipal) to create a SecurityIdentity from principal. Public/private principals can be converted to Elytron’s identityCredentials and attach to SecurityIdentity. The group or roles from Subject will be mapped to securityIdentity with SecurityIdentity.withRoleMapper(). To propagate this SecurityIdentity to EJB subystem, the jaxws ejb invocation handler and ejb interceptor chains should be executed under SecurityIdentity.runAs() block.

To make all these works, convert JAAS subject to Elytron SecurityIdentity in ElytronSecurityDomainContextImpl and set this new created securityIdentity to ThreadLocal currentIdentity to allow the runAs be called in EJB webservice invocation handler.