Fix for SECURITY-868 breaks flush-cache capability -------------------------------------------------- Key: SECURITY-882 URL: https://issues.jboss.org/browse/SECURITY-882 Project: PicketBox Issue Type: Bug Components: AS-Integration Affects Versions: PicketBox_4_0_19.Final Environment: EAP 6.3.3, JDV 6.1.0 Reporter: Hisanobu Okuda Assignee: Stefan Guilhen The member field ThreadLocal<CompoundInfo> validatedDomainInfo was introduced for the fix of SECURITY-868. When you are authenticated, a valid security info is stored in the field thread-locally. Then, you flushes the JAAS cache via CLI or API in another thread, org.jboss.security.authentication.JBossCachedAuthenticationManager.flushCache() is invoked, but validatedDomainInfo is not flushed properly, since it is ThreadLocal. As a result, a cached security info is re-used unexpectedly.