At the moment by default all of the authentication mechanisms use the IdentityManager and obtain it from the SecurityContext, however the contract for an authentication mechanism does not mandate that this is used - different mechanisms can in-fact use their own user repositories, the only real requirement being that they can represent the authenticated identity as an Undertow 'Account' which is essentially a Principal with a set of roles.

For this reason deprecate the IdentityManager on SecurityContext, instead by default mechanisms should obtain it as an attachment of the exchange, the existing method will be updated to obtain it the same way.

The Elytron integration is heading down the path of Elytron supplying a set of authentication mechanisms that are tightly coupled to the Elytron domains and realms, at the moment this identity manager interface would just be another level of abstraction and provide more complication that it solves. Where Undertow is not used in an Elytron secured environment the existing interface will still be fully usable and the existing authentication mechanisms will still be able to use it.