The KualiRequestProcessor calls GlobalVariables.setUserSession(..) and clears the rest of the variables. The point where these appear to be unset is in KualiHttpSessionListener.sessionDestroyed(..). This can cause a leak of data between users if GlobalVariables is used anywhere other than below the KualiRequestProcessor (for example, accessing /portal.jsp, a DWR service, etc.)
Example: User A is logged in, and access a Struts action on request processing thread 1. User B comes along, logs in, and has GlobalVariables established on request processing thread 2. User B's page calls a DWR service; servlet engine uses request processing thread 1 to handle call. DWR service calls GlobalVariables.getUserSession() which returns user A.
I would recommend the following change of code, or alternatively deciding that GlobalVariables should only be used in Struts actions and updating the Javadoc respectively.