I have a custom JAAS modules that worked fine in JBoss6 (well, some minor flaws, nothing I couldn't hack around). The same module deployed in JBoss AS7 runs into a loop and finally a HTTP 408 is returned to the client.
Debugging the module everything seems to work fine. login() and commit() are called and run without error. It seems that the loop is started in the CoyoteAdapter, but I was not able to find the sourcecode of this class.
Btw: It is very frustrating, that upgrading from one JBoss version to the next ends up in a nearly endless fight through search engines, bug reports and sourcecode
Found the cause: Session cookies are now issued according to the spec. Which breaks pretty lot of browsers...
Solution is described here: http://community.jboss.org/message/612640