I am implementing custom security in EAP 6.2 with picketbox 4.0.19.SP2. I am using a configured Ldap login-module, a configured Delegating authorization-module and a custom-written role-mapping-module, which retrieves extra roles for an authenticated principal from a DB. What I observe is that for every EJB call from the web layer, a new instance of my custom role-mapping-module is created and used to perform a role-mapping. This is a huge performance penalty I would like to avoid. I tried cache-type="default" in the security domain configuration, but it only seems to cache authentication information, not authorization information. Is there a way to cache the authorization information between EJB calls?