Whether or not this is a bug is debatable, but it is definitely less than an optimal situation.

The JAASSecurityManager implements logic to cache authentication information and validate against the cache prior to re-authenticating via the LoginContext. The method call isValid() takes in the credential as an object. The logic that validates against the cache is such that a String and char array that represent the same character sequence will never be considered equal.

The non-optimal situation is created because the security component integrated with Tomcat passes the credential as a String, but JMS uses char[]. This can lead to a large amount of churn in the security subsystem when the same user is authenticated via both paths.

A workaround is to have users dedicated to JMS that never connect via web-based authentication.