Hello everyone!
Some time ago we encountered with unexpected user logouts on production running JBoss 7.1.2. Our security-domain is using cache-type="default". After some examination of jboss's sources we found that
{code}org.jboss.as.security.plugins.DefaultAuthenticationCacheFactory{code}
executes logout during cache eviction. Why it is nessesary to logout if in case of cache miss request would be handled by authentificator?
To fix this we started to use infinispan strategy with sufficient capacity (more then 1000 entries).