It is an interesting question, I don't have a simple solution, but the most efficient way would probably to write your own security interceptor. This is described in the JBoss documentation, though I haven't tried it myself.
I guess what you need to achieve, instead of checking calls only on username/password credentials (which is what the default security layer does), is cache username/password/http-session-id in your security layer.
This question (or the issue of caching passwd+user)
seems to be recurrent (I post the same question
3 days ago, and have seen different questions
regarding caching changing passwd, etc)
may be we can try to find a clean common solution,
or to do a FAQ !
! This is not the clean version at all !
Meanwhile, I thought to a 'hack solution' for the single login :
adding a random piece of junk (+maybe hostname+time!)
before the passwd well it is nasty but it will avoid
to call the cache version of the real password during
loggin phase I do not know if it can be implemented
in a web context (but this is not my case and you may be able to add the sessionid in this case ?) or if a MD5
version of the passwd is encoded ?