Description:
|
To reproduce simply try to send an order in using the web form.
It appears JBossJaasSecurityProfile is clearing the security context before the web processor can clean up. Check out org.jboss.as.web.security.SecurityContextAssociationValve.invoke(). Around line 125, it pushes an identity. Then, around line 171 it pops the identity, which blows chunks because the security context has been nuked.
The stack trace when running the demo using the web form:
|