Out passwords (RSA SecurID tokens) are changing every minute.
Even without a session-timeout it looks like the loginmodule are asked for password verification every 15 minute for the same (servlet)session. Obviously the password are not correct any more.
Is it possible to configure the jboss+tomcat so that the loginmodule's verifyPassword are asked at the start of a session, but not every 15 minute?
I have created a subclass of FormAuthenticator that appends the sessionid to the password before it is stored in the session. My RSALoginModule splits the password and sessionid and store a hash of it in a persistant store.
It is a bit ugly, but it works :)