The mechanism used for marshal/unmarshal within Picketlink STS (client and server) is not thread-safe. JAXBContext instances from Sun/Oracle are defined as thread-safe. Furthermore, the creation of a JAXBContext instance is quite expensive and shouldn't be performed on-demand for all requests. Within org.picketlink.identity.federation.core.wstrust.WSTrustJAXBFactory, Marshaller and Binder<Node> are member variables of this singleton-like class instantiated within the private constructor. Consequently, when multiple threads request to marshal/unmarshal data, errors are thrown regarding marshal failure. WSTrustClient leverages the WSTrustJAXBFactory mechanism to marshal/unmarshal data and consequently creates client-side threading issues.

Known classes impacted:
org.picketlink.identity.federation.api.wstrust.WSTrustClient
org.picketlink.identity.federation.core.wstrust.STSClient
org.picketlink.identity.federation.core.wstrust.PicketLinkSTS

I was able to fix the issue by refactoring WSTrustJAXBFactory:
1. Single static instance of JAXBContext created with private getPackages() method
2. Return new instance of Marshaller/Binder when needed by member operations

• I can't guarantee this fix works for the WSTrustClient because I'm no longer using it (wrote my own client to interface with STS service)