If one tries to access a JCA resource in a context that is using a run-as identity, the run-as identity is not the Subject seen in the ManagedConnectionFactory createManagedConnection(Subject subject, ConnectionRequestInfo info) call.

The understanding of the security layer in the BaseConnectionManager2 is too limited and should be refactored. This could be made to work with a custom login module, but that really is not the correct solution.