Tomcat supports JASPIC since version 8.5, but it does not pass the TCK due to a CallbackHandler issue. The org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl class is not consistent with what is done in AuthenticatorBase.
The callback handler keeps adding to the subject everytime it's called which results in many principals being added to the same subject.
But on the other hand the authenticator base only pulls the first principal from the Subject.
We should either merge all principals in the authenticator base or merge in the callback handler.