Oh, I'm using jboss-3.0.1_tomcat-4.0.4
This happening because the JBoss server caches everything known to man...and then some. Seriously, it is caching the authentication info, so when you delete the user form the database, and even if you restart the browser, then the authentication info for that deleted user still resides in the cache. Restart the server after deleting the user and try it. It should fail because restarting the server wipes out the auth. cache.
You can add a clear auth. cache call to your logout method. Thats what I have done and it works fine.
Check out http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ for more info about the auth. cache flush in 3.0.x. The jar file mentioned can be found in the server/output/lib directory of the JBoss source after you build all.
Hope this helps and good luck,