Luke, I know I need a repro recipe, but I just don't know how to do authn without using the web server at all.
The way I tested was to show SecureContext both before and after I entered the new thread. I don't have a log anymore, so I'll go from memory. The log looked like this:
That's what I remember seeing. I'll try and get back to the prior state (never committed the bad code) and post back.
http-processor5 - Preparing to start new thread - SecureContext@1234[principal=X, password=[PROTECTED], ...]
pool1-thread2 - In new thread, SecureContext@1234[principal=X, password=[PROTECTED], ...]
http-processor5 - Returning from Controller#handleRequest()
pool1-thread2 - Attempting to save to DB
pool1-thread2 - InvalidContextException - no authn in context
[i]stack trace omitted[/i]