A user needs to be able to change their own password. However, JBoss 2.4.4 caches the user information after it does the initial login.
Using Scott Stark's "How To" article as a baseline, run example2-test0 which has the password "echoman". Now change the password in the database to "echoone" and login again as echoman -- you still get in. Change the build file to switch the password to "echoone" -- that works too. Now change the build file back to log in as "echoman" and it fails. Note: echoone still works.
A simple solution to have the password change take effect immediately: 1) User logs in with the old password and changes the password to a new value. Now, both passwords will work. 2) Unbeknownst, relogin with the new password. Now, only the new password works.