Right now, SecurityContextImpl sends a query to the server using ErraiRPC, and this is initiated from an @AfterInitialization method. So the app's own @AfterInitialization code gets stale info from SecurityContext. Further, there is no way to know when the SecurityContext info has become valid. Even polling it in a timer is no guarantee, because other security-related async queries the app makes at startup could conceivably complete before the SecurityContext's own startup request gets responded to.
We already tried fixing this by asking InitVotes to delay startup until the security RPC has completed. This mostly worked, but it caused several navigate-to-login-page tests to fail, apparently because the SecurityContext init vote was never cast:
WIP from SecurityContextImpl:
There may be completely different ways to solve this that are even better. As a bonus, it would be nice to make the whole thing more Bus/JAX-RS agnostic, which the set-cookie stuff on the server side could help with...