Access to fields uncheckedPermissions, excludedPermissions and rolePermissions in org.wildfly.security.authz.jacc.ElytronPolicyConfiguration is holded by lock. However lock is not used in their getter methods. Getters should be also handled by locks to avoid unguarded read of those fields.