Permission checks are per request with some requests needing multiple checks, we should look at caching some of our ContextHandler output such as conversion to Subject etc..

Maybe we need some kind of weak hash map to hold the results of the conversion for as long as the SecurityIdentity instance remains alive.