Index: webapps/docs/changelog.xml
===================================================================
--- webapps/docs/changelog.xml	(revision 1785763)
+++ webapps/docs/changelog.xml	(revision 1785764)
@@ -108,6 +108,11 @@
         <code>ServletRequest.getParameterMap()</code> is fully immutable. Based
         on a patch provided by woosan. (markt)
       </fix>
+      <fix>
+        <bug>60824</bug>: Correctly cache the <code>Subject</code> in the
+        session - if there is a session - when running under a
+        <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
Index: java/org/apache/catalina/connector/Request.java
===================================================================
--- java/org/apache/catalina/connector/Request.java	(revision 1785763)
+++ java/org/apache/catalina/connector/Request.java	(revision 1785764)
@@ -1875,24 +1875,35 @@
      *
      * @param principal The user Principal
      */
-    public void setUserPrincipal(Principal principal) {
-
-        if (Globals.IS_SECURITY_ENABLED){
-            HttpSession session = getSession(false);
-            if ( (subject != null) &&
-                 (!subject.getPrincipals().contains(principal)) ){
+    public void setUserPrincipal(final Principal principal) {
+        if (Globals.IS_SECURITY_ENABLED) {
+            if (subject == null) {
+                final HttpSession session = getSession(false);
+                if (session == null) {
+                    // Cache the subject in the request
+                    subject = newSubject(principal);
+                } else {
+                    // Cache the subject in the request and the session
+                    subject = (Subject) session.getAttribute(Globals.SUBJECT_ATTR);
+                    if (subject == null) {
+                        subject = newSubject(principal);
+                        session.setAttribute(Globals.SUBJECT_ATTR, subject);
+                    } else {
+                        subject.getPrincipals().add(principal);
+                    }
+                }
+            } else {
                 subject.getPrincipals().add(principal);
-            } else if (session != null &&
-                        session.getAttribute(Globals.SUBJECT_ATTR) == null) {
-                subject = new Subject();
-                subject.getPrincipals().add(principal);
             }
-            if (session != null){
-                session.setAttribute(Globals.SUBJECT_ATTR, subject);
-            }
         }
+        userPrincipal = principal;
+    }
 
-        this.userPrincipal = principal;
+
+    private Subject newSubject(final Principal principal) {
+        final Subject result = new Subject();
+        result.getPrincipals().add(principal);
+        return result;
     }
 
 
Index: .
===================================================================
--- .	(revision 1785763)
+++ .	(revision 1785764)

Property changes on: .
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /tomcat/trunk:r1785762