cf. forum

org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(Account) - which is called on every request - results in reauthentication of Account: performance issue, in my case this includes an Ldap bind

also, if CallerPrincipal mapping is used, the original (ldap) username that was successfully authenticated via ldap bind, gets mapped to an application username. Account verification reauthenticates with the mapped application username not the original ldap username and therefore fails ldap bind and verify.

So with regards to CallerPrincipal, JAASIdentityManagerImpl.verify(Account) is faulty.

injection of JAASIdentityManagerImpl cannot be parameterized, nor its verify(Account) behaviour.

as mentioned in the forum thread, my workaround was to replace JAASIdentityManagerImpl after injection with a delegating IdentityManager that does not reauthenticate on verify().

Replacement happens via means of io.undertow.servlet.ServletExtension as explained in http://undertow.io/documentation/servlet/using-non-blocking-handlers-with-servlet.html

Sidenote: org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(Account) simply returns account;