Given a Java Servlet (running on a Windows server) which creates a new process via ProcessBuilder, what are my options for having that new process run as the user who invoked the original web request to the servlet?

To clarify, what I want is that something like

ProcessBuilder pb = new ProcessBuilder("whoami");
Process p = pb.start();
// p.getOutputStream() should contain the name of the remote user,
// not the user running the app server

And the real goal is to perform some security checks (say, to see if the user if able to open a file, or view such-and-such record in an internal enterprise system).

Clearly the user will need to be authenticated somehow, either by the app server or the java code – Ideally I’d like that to be in some way that works with single sign on (i.e. without the user entering a password), and it’s fine if the solution works only from Windows clients who are already logged onto a domain (though even better if that’s not a restriction). I’m currently using Jetty as the app server, but switching to something else would certainly be a viable option if necessary.

(If it helps to clarify, I’m basically looking to replace a CGI script which currently uses IIS’s impersonation features to run in the context of the user making the request)