Yes, JBoss caches valid credentials (= username and password which were verified by your login module).
It must do this, because otherwise your login module would be called on every EJB method call, and not just the first time - that would slow down your application considerably.
Sorry I don't know more - I think the credentials cache has a timeout, which you can probably set (but you wouldn't want it too short), but I am not sure about this.
Thanks jwkaltz ! Yes, you're right, and that happens in the same session, and Jboss should keep the valid credential in the session context and the user doesn't have to authenticate anymore. But when I start a new session (open a new browser and login), the last credential still exists (althought I removed it from database) and the removed user still log into my system.
I am experiencing the same problem. I think caching by JBOSS is fine. But there should be a way to invalidate the cache.
I have a dummy ejb method called login() that gets called for authenticating users. Currently the the method is a no op. The only solution that I have been able to come up with is to pass the user credentials to the ejb login() method and do checking there. But I don't want to do authentication twice once by JBOSS and once directly by my login() method.
I am hoping that there will be a more elegant solution.
What I've discovered is that if you log in using the new password, the old password will not authenticate anymore.
We've also found that the credentials timeout when not used for about 15 minutes. I have not discovered where this timeout is set.
You can also force the crendetials to reset by restarting JBoss.
Another option is to clear the cache manually by invoking the SecurityManager MBean. However, this clears the Authentication for all users. Does anyone know if there are plans to add a method to clear single user credentials within a domain cache?
JBoss 2.4.5RC1 fixes the caching problems. BUT there are classpath issues with this release. So to get the fixes you will need to checkout and build Branch_2_4 from CVS. Branch_2_4 fixes the problems, or at least problems with the SRP Caching scheme. If you need help let me know.