There is another, perhaps theoretical leak possibility JBoss authentication cache implemented using TimedCachePolicy. This is because entries in TimedCachePolicy are not purged from the cache until they are fetched from the cache, and are then noticed as expired. The leak occurs when: 1. I login to web application using some credentials. 2. This information is entered in the authentication cache. The login credentials involve a LoginContext object that has reference to the web app ClassLoader. 3. I undeploy. 4. I never ever again login using the same credentials. When same credentials are not used, they will not be fetched from auth cache, therefore never seen as expired and never purged: the ClassLoader is leaked through the stuff entered in the cache. This can be worked around by flushing the cache. I guess JBAS-4752 sort of solves this. However, I think the cache should be purged also when web application is undeployed. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4134192#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...