Currently, an application can change the identity and authorization of a user by setting the value of the "io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.AuthenticatedSession" session attribute.
This is bad.