If a call comes to a container with an incoming RunAS, then the Java EE spec defines a role based approach. The authentication mechanism needs to be bypassed.

Currently, the Identity Trust Framework (with its JavaEETrustModule) takes care of incoming run as but the ITF may not be enabled by default and may not be configured for all security domains.

Hence bring back the explicit check for run-as in authentication interceptor.