Steps to reproduce:
1. Configure Opencast as an LTI tool provider.
2. Remove the fourth constructor argument from the LtiLaunchAuthenticationHandler in etc/security/mh_default_org.xml.
3. Send an LTI request with "ext_user_username" set to the name of an existing Opencast user.
You are not authenticated as that user.
You should be authenticated as that user.
Workaround (if any):
Add a fourth constructor argument, e.g. like this: https://github.com/opencast/opencast/commit/ef7bc8e94936b426bec5cb52f846d81c8c903657