To disable authentication cache you have to set the following config option:

setAuthenticationCacheSize(0)

SecurityStoreImpl then creates the following guava cache with maximumSize set to 0:

authenticationCache = CacheBuilder.newBuilder()
.maximumSize(authenticationCacheSize)
.expireAfterWrite(invalidationInterval, TimeUnit.MILLISECONDS)
.build();

The way the guava LocalCache implementation works with maximumSize is that even with size 0 an entry is added but then is removed; this means that another thread can end up pulling an entry out of the cache before it is evicted; even though maximumSize is set to 0.

It has taken me some effort to track down this timing issue but the behaviour is also explained in the guava docs:

When size is zero, elements will be evicted immediately after being loaded into the cache. This can be useful in testing, or to disable caching temporarily without a code change.This feature cannot be used in conjunction with maximumWeight

Based on these findings no auth cache should be created at all when size 0 is requested.