Currently, there's a difference between Elytron and PicketBox in the behaviour of a run-as-principal operation. In particular, Elytron's SecurityIdentity#createRunAsIdentity() always attempts to authorize a run-as-principal operation, which means that a user needs to be granted the RunAsPrincipalPermission via a custom PermissionMapper in order to run as the given principal (even to run as the anonymous principal). However, PicketBox only performs an authorization check in this case if the security manager is enabled and the check itself seems to be a bit different - PicketBox just checks the caller has "setRunAsPermission", which is a RuntimePermission that doesn't depend on the given principal.