You can try to flush security subsystem cache using JMX API:
MBeanServerConnection mbeanServerConnection = ManagementFactory.getPlatformMBeanServer(); ObjectName mbeanName = new ObjectName("jboss.as:subsystem=security,security-domain=your-security-domain"); mbeanServerConnection.invoke(mbeanName, "flushCache", null, null);
Replace "your-security-domain" with real domain's name you configured for your app.
Thanks Fabrizio. I quickly tested this and it seems it will do what I want.
I put a h:commandbutton in a form and submitted via ajax to a user bean that runs your code.
I open the browser, navigate to the admin area.
Then I changed role permission (database jaas) and clicked the button.
After closing and reopening the browser the changes are picked up.