When using JAAS authentication and not supplying credentials, ModeShape's Repository.login(...) methods result in a session that does not contain the proper user ID. This is because ModeShape uses the following call to obtain the Subject:
However, when running within a J2EE container, the resulting 'subject' is null!
The fact that the standard Java API to access the Subject from the JAAS LoginContext does not work within J2EE and the app server is very troubling, but apparently this is a problem that is well-known in J2EE circles (of which I am clearly not a member).
According to Kurt, the Guvnor code obtains the Subject from the Seam context. If this is true (and acceptable), perhaps the easiest way to fix this is to enhance ModeShape to define an additional JCR Credentials class that allows this Subject to be passed into ModeShape. This new Credentials class should then be used in J2EE applications that use ModeShape with JAAS security.
I still have not heard back from Anil or Shane as to the "proper" way to grab the Subject. If there's no other way than the Seam context, we may have to add the new Credentials implementation.