diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
index a5a32ed8aad8a4ff57f75352ee99b9f22e23bfa5..f521b5d9e9023bc4016426d212d10a4cdca85fda 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/AbstractCommand.java
@@ -89,7 +89,6 @@ public abstract class AbstractCommand implements PrivilegedAction<Object>
 
     private UserPersistence userPersistence;
 
-
     protected abstract void doRun()
             throws AccessControlException, TransientException;
 
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
index 5da814fa0d7094f3a7b388c7ded739f53bb4396a..97f130684f1b7203e135eaba4b6e608a8d581e31 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/CommandRunner.java
@@ -78,11 +78,8 @@ import org.apache.log4j.Logger;
 
 import ca.nrc.cadc.ac.UserNotFoundException;
 import ca.nrc.cadc.ac.server.UserPersistence;
-import ca.nrc.cadc.auth.AuthenticationUtil;
-import ca.nrc.cadc.auth.DelegationToken;
-import ca.nrc.cadc.auth.PrincipalExtractor;
-import ca.nrc.cadc.auth.SSOCookieCredential;
-import ca.nrc.cadc.auth.X509CertificateChain;
+import ca.nrc.cadc.auth.AuthMethod;
+import ca.nrc.cadc.auth.HttpPrincipal;
 import ca.nrc.cadc.net.TransientException;
 
 
@@ -116,6 +113,7 @@ public class CommandRunner
         {
             Principal userIDPrincipal = ((AbstractUserCommand) command).getPrincipal();
             operatorSubject.getPrincipals().add(userIDPrincipal);
+            operatorSubject.getPublicCredentials().add(AuthMethod.PASSWORD);
         }
         else
         {
@@ -130,48 +128,12 @@ public class CommandRunner
                 throw new IllegalArgumentException("Certificate required");
 
             operatorSubject.getPrincipals().addAll(subjectFromCert.getPrincipals());
+            operatorSubject.getPrincipals().add(new HttpPrincipal("authorizedUser"));
             operatorSubject.getPublicCredentials().addAll(subjectFromCert.getPublicCredentials());
+            operatorSubject.getPublicCredentials().add(AuthMethod.CERT);
         }
 
-        // run as the user
-        AnonPrincipalExtractor principalExtractor = new AnonPrincipalExtractor(operatorSubject);
-        Subject subject = AuthenticationUtil.getSubject(principalExtractor);
-        LOGGER.debug("running as: " + subject);
-        Subject.doAs(subject, command);
-    }
-
-    class AnonPrincipalExtractor implements PrincipalExtractor
-    {
-        Subject s;
-
-        AnonPrincipalExtractor(Subject s)
-        {
-            this.s = s;
-        }
-        public Set<Principal> getPrincipals()
-        {
-            return s.getPrincipals();
-        }
-        public X509CertificateChain getCertificateChain()
-        {
-            LOGGER.debug("getCerfiticateChain called");
-            for (Object o : s.getPublicCredentials())
-            {
-                if (o instanceof X509CertificateChain)
-                {
-                    LOGGER.debug("returning certificate chain.");
-                    return (X509CertificateChain) o;
-                }
-            }
-            return null;
-        }
-        public DelegationToken getDelegationToken()
-        {
-            return null;
-        }
-        public SSOCookieCredential getSSOCookieCredential()
-        {
-            return null;
-        }
+        LOGGER.debug("running as: " + operatorSubject);
+        Subject.doAs(operatorSubject, command);
     }
 }
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
index 66f48174b29e87d54990a65fdc22c1509c024bd5..8a92a058e235abcb0a8bec759fa357f4c0d8d6b8 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUserRequests.java
@@ -92,4 +92,5 @@ public class ListUserRequests extends AbstractListUsers
     {
     	return this.getUserPersistence().getUserRequests();
     }
+
 }
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
index 1256ad9af5a0a8f8e3d63356bddd808e06d7b790..bcb5d34bee217fba54a4a10949eb90dce956f0be 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ListUsers.java
@@ -92,4 +92,5 @@ public class ListUsers extends AbstractListUsers
     {
     	return this.getUserPersistence().getUsers();
     }
+
 }
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
index 4050de7b22186cc4fd0c06a7a70205a840d26d21..e21718a93cf2c124abd6b1b34591a18d7f0da203 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/RejectUser.java
@@ -81,10 +81,10 @@ import ca.nrc.cadc.net.TransientException;
  * @author yeunga
  *
  */
-public class RejectUser extends AbstractUserCommand 
+public class RejectUser extends AbstractUserCommand
 {
     private static final Logger log = Logger.getLogger(RejectUser.class);
-	
+
     /**
      * Constructor
      * @param userID Id of the pending user to be deleted
@@ -93,9 +93,9 @@ public class RejectUser extends AbstractUserCommand
     {
     	super(userID);
     }
-    
-    protected void execute() 
-        throws AccessControlException, UserNotFoundException, TransientException 
+
+    protected void execute()
+        throws AccessControlException, UserNotFoundException, TransientException
     {
         // delete user from the pending tree
         this.getUserPersistence().deleteUserRequest(this.getPrincipal());
diff --git a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
index 6201ca876d905d73bd634ea381eedcdc93305052..e3e705ca79e27baad75b8b35d3f5a48df326eaaf 100644
--- a/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
+++ b/cadc-access-control-admin/src/main/java/ca/nrc/cadc/ac/admin/ViewUser.java
@@ -106,7 +106,7 @@ public class ViewUser extends AbstractUserCommand
             User user = this.getUserPersistence().getUser(this.getPrincipal());
             this.printUser(user);
         }
-        catch (UserNotFoundException e)
+        catch (AccessControlException | UserNotFoundException e)
         {
             // Not in the main tree, try the pending tree
             User user = this.getUserPersistence().getUserRequest(this.getPrincipal());