We are using a login stack that includes :
<application-policy name = "srpssl-ex">

<login-module code = "org.jboss.security.srp.jaas.SRPCacheLoginModule"
flag = "required">
<module-option name = "cacheJndiName">srp-test/AuthenticationCache</module-option>
</login-module>
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name="dsJndiName">java:/DefaultDS</module-option>
<module-option name ="password-stacking">useFirstPass</module-option>
<module-option name ="principalsQuery">Select pswd from Principals where principalid = ?</module-option>
<module-option name ="rolesQuery">Select role,rolegroup from Roles where principalid = ?</module-option>
<module-option name ="unauthenticatedIdentity">guest</module-option>
</login-module>

1. The first login goes through SRP but does not call the second login module (DatabaseServerLoginModule).
2. A second login does not make it through the SRPCacheLoginModule since the login() method does the following:

SRPSessionKey key;
if( userPrincipal instanceof SRPPrincipal )
{
SRPPrincipal srpPrincpal = (SRPPrincipal) userPrincipal;
key = new SRPSessionKey(username, srpPrincpal.getSessionID());
}
else
{
key = new SRPSessionKey(username);
}
Object cacheCredential = cache.get(key);

The userPrincipal is not an instance of SRPPrincipal to key is set to
new SRPSessionKey(username) which generates a default session id of 0 -- the same as the one used by the first user login. This result in a bad cache lookup in cache.get(key).

What is going on???