I deployed a simple test ear on Branch_4_2 and found that it got associated with HsqlDbRealm. That seems odd.
The ear is very straightforward. A webapp with a couple servlets and an ejb jar with one SLSB. Nothing is specified as being secured; there aren't even any jboss-specific deployment descriptors in the ear.
I'm using this ear to try to track down a classloader leak on undeploy. Found a reference chain leading back to the TimedCachePolicy in JaasSecurityManager. Not sure if that's a problem -- should the cache be flushed on undeploy, or is it expected the ref will eventually clear when the entry times out?
Pending finding an answer to the above, I decided to just have my test flush the "other" cache so I could see if there were other leakage paths. But it didn't work -- for some reason the entry was stored in the "HsqlDbRealm" cache. I have no idea why.
I would assume its due to the ejb timer service. The cache won't be flushed on undeploy as in general security domains are not local to a deployment.