Security context is not thread safe ----------------------------------- Key: WFLY-9251 URL: https://issues.jboss.org/browse/WFLY-9251 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 10.1.0.Final Environment: Windows, LInux Reporter: charles ghislain Assignee: Darran Lofthouse Labels: jaas, security, security-context, thread-safety, threads Attachments: wildfly-auth-overloader.js, wildflytestauthcontext-2.zip, wildflytestauthcontext.zip Using a custom JAAS login module, we sometimes fail to obtain the authenticated subject from the 'javax.security.auth.Subject.container' policy context. This appear to be related to the worker threads. See the reproduction steps below. When a wildfly instance attempts to authenticate 500 requests coming simultaneously, a bunch of them fail. If you configure wildfly to only use a single worker thread and a single task thread, this issue disappears. The issue is as follow: I login using HttpServletRequest#login. Right after that, login.getUserPrincipal return the correct principal. However, sometimes, PolicyContext.getContext("javax.security.auth.Subject.container") returns null. Right after the login. In our production app, PolicyContext.getContext("javax.security.auth.Subject.container") returns null during some EJB call, throwing random exceptions from various parts of the application.