Description of problem: The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 1024453 [details] reproducer.tar.gz
Ivo Studensky <istudens> updated the status of jira SECURITY-882 to Resolved
Ivo Studensky <istudens> updated the status of jira SECURITY-868 to Reopened
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.