We need a mechanism to make JCA security more pluggable.
This is to cater for use cases where some extra context needs to be used.

The connection manager only understands a subject.
The connection factory (e.g. DataSource) only understands the CRI (method parameters).
The pooling uses both without needing to understand what they are in detail.

This change would provide a "wrapper" connection manager that can do things
more associated to context, e.g. it could be connection factory specific,
i.e. it understands the CRI and can do things that the connection factory doesn't do
or it can do things based on information.

An example of other information would allowing a per deployment
security domain such that you have different pre-configured user/password per ejb.
With something like the following in META-INF/jboss-[web].xml

<jboss>
<enterprise-beans>
<session>
<ejb-name>Whatever</ejb-name>
...
<resource-ref>
<res-ref-name>jdbc/DataSource</res-ref-name>
<jndi-name>java:/MySQLDS</jndi-name>
<security-domain>FooBar</security-domain>
</resource-ref>
</session>
</enterprise-beans>
</jboss>