To investigate the functioning of the authentication cache I traced the networktraffic of the database port. The result is:
When calling flushAuthCache() there is no access to the database. Instead, the assigned authentication role is destroyed. Even the call isCallerInRole() is not a reason to re-read the security information stored in the database.
The securtiy information only is read, i. e. running the SQL-statement stored in login-config.xml against the database, when the browser requests a resource by the next time.
It seems that flushing the authentication cache only sets a flag signaling to re-read authentication information by the next time. Which call does really trigger the database access?
The security cache is loaded only during authentication. You cannot change roles and have them reloaded without reauthenticating. With basic auth this would be transparent to the user, while form based auth would require logging in.
You can write your own org.jboss.util.CachePolicy implementation to all the roles associated with the authenticated subject to be refreshed as you wish.