When HotRod client authneticate to HR server via kerberos, HR server obtains wrong AccessControlContext, which doesn't contain appropriate subject (to be more clear it's in AuthorizationManagerImpl.checkPermission()). Returned subject is null and moreover this default AccessControlContext allows to do anything, so effectively the HR client can do anything, no matter what the permissions are.

Need to mention that in this case java SecurityManager is turned off, but as the same setup works with e.g. MD5 auth, we should keep some consistency and it shouldn't work in any case (and SecurityManager to be turned on should be a hard requirement to ISPN auth works) or it should work also in case of krb auth.