AuthorizationManagerImpl::invalidateUserByName constructs a new UserRequest from a username with empty roles and invalidates the cache entry mapping that key. The constructed request has an empty roles field since this method is only expected to be invoked for internal users who should not have already had roles when injected into the cache. As a result, an empty UserRequest object with nothing besides a name is expected to be sufficient to invalidate any entries corresponding to that username.

This is not always correct. Some entries in the cache have UserRequests that contain a mechanismData field. This field is used when creating the hash of the object, so two UserRequests with the same username but different mechanismData fields can correspond to different entries on the cache. 

Therefore, it's not safe to assume that we can just construct a UserRequest object here. Instead, we should invalidate all entries with UserRequests wrapping the provided UserName.