I use your JForum with SSO and encountered quite a serious bug. I installed JForum on a performance tuned production server and I was plagued by weird things. The main thing what went wrong was that when someone logged in, and someone else logged in on an other PC or even in a different browser, JForum confused the names of the two persons. When one person posted, it for example showed the name of the other every now and then.
I looked at the code and determined that it is probably caused by the use of ThreadLocals. The entire forum assumes that each request is processed by different threads, but that is generally not the case. The execution context class should be passed to all necessary classes or methods to solve the bad ThreadLocal assumption, instead of storing it in ThreadLocals. I think this is quite a serious bug... [originally posted on jforum.net by anoko]