Thanks Jayesh! It is interesting and makes sense to me.
Yes, we have hundreds of controller classes and they are not thread safe. I think I misstated my issue here. It is not the logged in user information that is getting swapped, but we are facing the swapping of claim information. While the user is working on a claim, all of a sudden, he/she gets another claim information on the screen. Since all controller classes are singleton classes, I think it is applicable to all types of service calls - read, update, delete etc.
So, assuming that all controllers are not thread safe, is there a way to make them thread safe at the configuration level in web.xml file without impacting the performance?