I don't have an answer but I have the same question.
I am going to be deploying a new system on an old user base. One of the things I'm virtually required to do is to force everyone to change their password (different encryption schemes). I have a database flag that, if set, forces the user to change his password - no other part of the application is accessible to him. Once the password is changed, he has his usual rights.
I had thought I could achieve this by simply logging the user out after the password change and redirecting him to the login screen where he can type in his new password (which would then get the full role list associated with the user).
But I am defeated by the authentication cache which still holds the user with his old password and truncated set of roles.
What I want is a bullet-proof way to implement "remove this user from authentication cache". These are the semantics that are intuitive for logout. Otherwise there is no way for a user to change his credentials.
What is the best way to achieve this currently in JBoss?
Another goodie that would be nice:
for development purposes - is there a way to force the auth cache to be flushed whenever a new ear file is given to jboss? I find I get weird results whenever I send down a new ear, restarting JBoss makes it go away.
Is there a way to force this to be cleaned on a new deployemnt or if not, at least to flush it manually?
you can flush the authentication cache through jmx-console