When a security domain is configured to use a cache, this cache is shared between all application that are in the security domain. This could allow a user authenticated in one application to access protected resources in another despite not being authorized to do so. This is currently an intended functionality, but it was not clearly documented. Application developers could easily have assumed that a security domain cache is isolated to a single application.
This issue was discovered by Ondrej Lukas of the Red Hat JBoss EAP Quality Engineering team.
The fix for this flaw has been determined to be an addition to documentation. An admonition has been added to the relevant documentation that explain security domain usage in Red Hat JBoss Enterprise Application Platform 6. No security advisory will be published for this fix.