quote from Jakarta Authorization spec 2.1:

4.6.1.3. HttpServletRequest Policy Context Handler

All Jakarta Servlet containers must register a PolicyContextHandler whose getContext method returns a jakarta.servlet.http.HttpServletRequest object when invoked with the key “jakarta.servlet.http.HttpServletRequest”. When this handler is activated, the container must return the HttpServletRequest object corresponding to the component request being processed by the container.

 

This is working fine in WildFly 26 

PolicyContext.getContext("javax.servlet.http.HttpServletRequest")

but not in WildFly 27 (I updated the above string to look-up for jakarta, instead of javax).

Found this commit, which removes the PolicyContextHandler registration from UndertowService.start(final StartContext context). I don't know if the removal of the PolicyContextHandler was intentional or not. If it was intentional, I suppose there are some mechanisms to activate the handler for HttpServletRequest, but I only found this documentation, that indeed activates some handlers (javax.security.auth.Subject.container & org.wildfly.security.auth.server.SecurityIdentity), but no HttpServletRequest.

Attached you can find a simple maven project I used to reproduce the issue.

For WildFly 26, build with "mvn -P wildfly-26"

For WildFly 27, build with "mvn -P wildfly-27" (you also need to uncomment the WildFly 27 jakarta imports from HelloServler.java)

For convenience, I also attached the WARs for WildFly 26 & 27.