In CachingUserManager.isUser(String userName), the following two statements are not atomic:

getAllUserNamesFromCacheOrServer();                 // makes sure the cache is loaded with all users.
return (basicCache.getUser(userName) != null);

If the cache is flushed after the first statement is executed but before the second statement is executed, this method will return false.
As the result of this method is returned by CrowdCredentialsProvider and CrowdProfileProvider etc, this causes com.opensympony.user.User.getCredentialsProvider() and com.opensympony.user.User.getPropertySet() to return null, resulting in NullPointerException being thrown when constructing a new instance of com.opensympony.user.User or invoking getEmail() and getFullName() methods of an existing com.opensympony.user.User instance.

Additionally, in CachingUserManager.getAllUserNamesFromCacheOrServer(), the following two statements are not atomic either:

loadAllUsers();
userNames = basicCache.getAllUserNames();

If the cache is flushed after the first statement is executed but before the second statement is executed, this method will return null.
So the first patch I supplied could fail in this scenario.