Users migrating from legacy security that were using custom login modules could use custom principals as well. 

Elytron realms require principal to be instance of NamePrincipal for authentication. All current principal transformers take place before the authentication and NamePrincipal is final class, so custom principals can not be returned from Elytron. 

Current solution for such users is to use SecurityIdentity obtained from current SecurityDomain and utilize SecurityIdentity' attributes to obtain information from realms. This solution has a drawback of having to change the application code when migrating and having to rely on SecurityDomain and SecurityIdentity instead of more generic and standardized methods like SecurityContext.getCallerPrincipal() .

This issue is to add possibility to obtain custom principal from Elytron. Possible solution is to introduce new principal transformer resource that takes place after authentication and can use SecurityIdentity's attributes to transfer information and map it a custom principal type at the end.