JACC HttpServletRequestPolicyContextHandler removal on single application undeploy impacting all other deployed applications ---------------------------------------------------------------------------------------------------------------------------- Key: WFLY-1477 URL: https://issues.jboss.org/browse/WFLY-1477 Project: WildFly Issue Type: Bug Security Level: Public(Everyone can see) Components: Web (Undertow) Affects Versions: 8.0.0.Alpha1 Environment: CentOS 6.x, JBoss AS 7.1.1.Final Reporter: Steve S Assignee: Tomaz Cerar Labels: domain, jaas, jboss, jbossweb, login, module, security Fix For: 8.0.0.Final Please see the following forum post for a detailed explanation and findings(and potential workaround): https://community.jboss.org/message/822054#822054 If multiple WARs are deployed that depend on a login module leveraging: HttpServletRequest request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); then upon undeploy of any web application in the container the HttpServletRequestPolicyContextHandler is removed(deregistered) in the stop() lifecycle method of the JBossWebRealmService, resulting in: 13:03:35,335 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (ajp--0.0.0.0-8009-1) Login failure: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: No PolicyContextHandler for key=javax.servlet.http.HttpServletRequest at javax.security.jacc.PolicyContext.getContext(PolicyContext.java:117) for any webapps still deployed for every subsequent access to them. Simply redeploying any ONE of the remaining webapps or the previously undeployed webapp causes this problem to go away for all deployed applications.