The hashCode method of SubjectDomainCombiner.CacheEntry uses subject.hashCode(), which includes credentials in the hash, but the equals method only compares principals, not credentials. As a result, two Subjects with the same principals but different credentials might not share a cache hit, and if the credentials of a subject change, the cache might be missed.