See JaasSecurityManagerMBean, it allows you to configure the cache, including timeout. Notice that disabling it completely will have a performance effect on your application.
I really do not want to disable cache.
I do not want to use my own security proxy as well, because what I am trying to acheive is in addition to the functionalities already provided by the JBoss Login modules.
Is there any other way to get around this?
Did you ever find a solution to this problem? I am having the same problem and I don't want to set the cach to 0.
If you want the login modules to execute every time an authentication request is needed, you have to disable the cache. You can't have it both ways. Explain why you don't want the cache disabled if you want the login modules to execute?
I don't want to set the cache to 0 because, I need a running list of authenticated users on the server. But at the same time I need the server to attempt to authenticate when a login is requested and the username and password is already authenticated. I think the JBoss or Tomcat code looks like this (hypothetically) when j_security_check is requested :
// 1) Check: same user login
// 1a) Re-Init user session of found user....
// 2) Check: against datasource for valid username and/or password...
// 2a) If ok; then proceed and create NEW session.
The reason I need to do this is to check if a user is already logged in from another location. I can think of about a 1000 other ways of performing this check, but I believe this should be handled better on the Application Server side, in this case JBoss.
So your coupling the list of active users to the cache. To ask that the cache maintains the user list and then is ignored in terms of deciding whether the login module stack should be executed is not a reasonable expectation as far as I can see. You can certainly maintain your own list, or write your own cache implementation. See chap 8 in the online manual for more info on the latter.