ResourceResolver.clone() will reuse the same JCR session in case it was created by passing an existing session using JcrResourceConstants.AUTHENTICATION_INFO_SESSION. If you need a clone of the resource resolver to pass into a new, separate thread, and use ResourceResolver.clone(null), you will actually share the session, but this is not obvious. The problem is that a JCR session cannot be shared across threads.
The javadocs of clone() say "the same credential data is used as was used to create this instance".
There are a few problems with this:
- seeing the session object itself as "credential data" is unintuitive
- in my code, I have no idea what the original credential data was, so I don't know what kind of credential data it was to make the right decision
- since sharing a JCR session is to be avoided at all times, the resource resolver should prevent one from this
A solution would be if a plain ResourceResolver.clone(null) would return a session that impersonated itself, abstracting this from the resource resolver user. Additionally, it might be worth looking that clone always returns a new session, unless specifically stated.