Currently method SPNEGOLoginModule.usernamePasswordLogin() is performing FORM-based authentication and when authenticates, it choose first principal from obtained subject and call setIdentity() with this principal.

In EPP login modules, our subject has more principals and user principal is not returned as first principal of subject. For handle this situation, it will be nice to have this functionality in protected method like:

   protected Principal getIdentityFromSubject(Subject userSubject)
   { 
      Set principals = userSubject.getPrincipals();
      if (principals.isEmpty())
      {
         throw new LoginException("No principal returned after login.");
      }
      else if (principals.size() > 1)
      {
         log.warn("Multiple principals returned, using first principal in set.");
      }

      Principal identity = (Principal) principals.iterator().next();
      return identity;
    }

which will be called from usernamePasswordLogin(). So that it will be possible to create subclass of SPNEGOLoginModule and override functionality of always choosing first principal.