Setting DefaultCacheTimeout <= 0 disables caching.
You cannot only have authentication occur the first time a user is redirected to a login page using FORM auth if you disable caching. Authentication ocurs on every access to secured content. You would have to create your own custom cache policy tied to the session timeout or some web app logic that tracked user logins.
Do you think a filter could flush the cache? Meaning stick a filter in front of j_security_check and then call the mbean intercepting the call with a call to the JAASSecurityManager to flush teh cache for the user in the request parms? Its a little bit of a kludge but it just seems like it just might work...though there may be something I'm not thinking of...
You cannot apply a filter before j_security_check. Filters are applied after the security process.