This is most likely as a result of the changes for CR 6648001. CR 6648001 was fixed in 6u10 b13.
Aside from this, I can see the possibility that endAuthRequest can be invoked twice with the same key. endAuthRequest in turn invokes requestCompleted, which contains the assertion. If an authentication request succeeds it will be added to the cache, Authentication.addToCache, this method will invoke endAuthRequest. HttpURLConenction.getInputStream has a finally block that will also invoke endAuthRequest.