Multithread issue when validate with cached hased password + nonce credential info from JBossCachedAuthenticationManager -------------------------------------------------------------------------------------------------------------------------- Key: SECURITY-868 URL: https://issues.jboss.org/browse/SECURITY-868 Project: PicketBox Issue Type: Task Components: PicketBox Reporter: Jim Ma Assignee: Stefan Guilhen Fix For: PicketBox_4_9_0.Beta3 When the new security domain is configured with catch-type=default in standalone.xml, the validated credential will be put in the JBossCachedAuthenticationManager with principal and domaininfo value pair. In multithread environment, a new validated credential can overwrite the previous thread cached domain info. This will cause even in the same thread , the cached authentication info could not work. For example if one user login with username , password and nonce in two threads : thread A and thread B ;thread A caches the validated credential(hased password +nonce) in JBossCachedAuthenticationMessager, thread B does the authentication, then caches the validated credential (hashed password + nonce) , even it's the same user and passoword, the credential is different because the nonce is diffrent. So the new credential created in thread B will overwrite the previous value created by thread A . So in thread A, the cached validation info won't work and following validation with cached credential will all fail.