889486
@@ -358,9 +358,11 @@
public class SimpleSecurityManager implements ServerSecurityManager {
         SecurityContext previous = contexts.peek();
 
         // skip reauthentication if the current context already has an authenticated subject (copied from the previous context
-        // upon creation - see push method) and if both contexts use the same security domain.
-        boolean skipReauthentication = current.getSubjectInfo() != null && current.getSubjectInfo().getAuthenticatedSubject() != null &&
-                previous != null && current.getSecurityDomain().equals(previous.getSecurityDomain());
+        // upon creation - see push method) and both contexts use the same security domain or there is an incoming RunAs of RunAsIdentity type
+        boolean skipReauthentication = current.getSubjectInfo() != null && current.getSubjectInfo().getAuthenticatedSubject() != null && (
+                        (previous != null && current.getSecurityDomain().equals(previous.getSecurityDomain())) ||
+                        current.getIncomingRunAs() instanceof RunAsIdentity
+                );
 
         if (!skipReauthentication) {
             SecurityContextUtil util = current.getUtil();
