If an authenticated caller fails a resource authorization check, the thread association from the authentication phase is not being cleared. This can result in the caller identity being leaked to subsequent requests that do not have any incoming authentication.