Nobody have experience or idea about it ?
Will Jboss 7 contains this feature ? also using a custom JAAS module ?
you might achieve this behaviour by using a servlet filter and redirect to the "change password" page. See e.g. this for a small sample: http://viralpatel.net/blogs/2009/02/http-session-handling-tutorial-using-servlet-filters-session-error-filter-servlet-filter.html
Hope this helps
But Filters doens't intercept the j_security_check special url (also using /* )
But probably I can use it as a starting point intercepting all other request and check it every time (maybe avoid do it every time keeping a boolean in the http session)
I believe this can be a great feature for JBOSS.
IBM Websphere and SAP Netweaver have it managed directly.
Just an idea...
What about using a Valve?