There is a bug in JPAIdentityStore$PermissionOperationSet#adjustOperation(String, boolean). Specifically, there should not be a conditional wrapping line 1877:

                    if (ops > 0) {
                        newOperations = ops;
                    }

newOperations should be set to ops unconditionally. Because it is only set if ops > 0, it is impossible to remove the last operation in a set of permissions. Even worse, because newOperations is set to operation at the beginning of the method and is never changed, the entity in the database is updated with the name of the operation being revoked, rather than being erased. For example, suppose you have a resource class with two kinds of operations:

READ = 1
WRITE = 2

If you grant both permissions, the database will correctly be updated with a value of "3". If you then try to revoke both permissions, with READ being revoked first, the row should be removed from the database. Instead, revoking READ will work correctly but revoking WRITE will cause the row to be updated with a value of "WRITE". This ends up causing other exceptions later since the value is not a bitmask, as other parts of PicketLink expect.