Fix a security problem that showed up in the 2.4.0
release. The issue is that if a secured JSP page
includes a sequence of jsp includes like:
<jsp:include page="test.jsp" flush="true">
<jsp:param name="name" value="d1"/>
</jsp:include>
<jsp:include page="test.jsp" flush="true">
<jsp:param name="name" value="d2"/>
</jsp:include>
<jsp:include page="test.jsp" flush="true">
<jsp:param name="name" value="d3"/>
</jsp:include>
<jsp:include page="test.jsp" flush="true">
<jsp:param name="name" value="d4"/>
</jsp:include>
where test.jsp looks up a secured stateless session
bean, only the first include succeeds. The later
includes fail because the security association of the
servlet request thread was lost.