Because seam's security framework caches instances of PermissionResolvers gobally and uses them without synchronization, implementors of such resolvers should make sure that (a) they hold no state and (b) that they don't use @In to obtain dependencies, even of stateless components like DAOs, because bijection from multiple concurrent threads might be interleaved.

This is now JBSEAM-3882 , but I didn't want anyone else to be bitten under high load on a production server and spend an entire day tracking down race conditions, like, uh, I just did :)