You cannot logout the user to change the password, because if you logout you will not have a way of determining who the user is (you loose the session context).
To do what you want (force the user to perform a mandatory action before proceeding), the simplest thing is to remove all authorizations to the user, intercept the org.jboss.seam.security.notAuthorized event and redirect the user to the page you want. This works specially well if you use the user permissions to enable and disable the menu links.
What I do is create a bogus role that grants access only to the change password page, and when the user logs in I grant him only that role. When the user completes the password change procedure, I reassign back his normal roles.
Emir, thanks for the response.
I will try,
Thanks, Jidlafe S. Hegner
Actually I want a more elegant solution. I'll look some more and then post what you get.