The CacheEntry mechanism used in SubjectDomainCombiner assumes Subjects are immutable. If you start with a Subject containing principal A, and a CacheEntry for that Subject (with some codesource CS) gets put in the cache, and then you alter the Subject in place by removing principal A and adding principal B, a subsequent call to combine() will result in reusing the old permissions associated with principal A rather than obtaining the correct permissions associated with principal B.