Yes, credentials have to exist on each call but they are cached by the security domain to avoid repeated login module calls. Unless you have disabled the caching there is no reason for the described behavior.
My caching is not disabled like below (copied from jboss-service.xml ) but the caching is not working at all. Every call the web app is authenticating against the database. Are any other possiblities leading to this problem?
<!-- JAAS security manager and realm mapping --> <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"> <attribute name="SecurityManagerClassName"> org.jboss.security.plugins.JaasSecurityManager </attribute> <attribute name="DefaultCacheTimeout">6000</attribute> </mbean>
Not that I know of. A debugger or trace level logging of the org.jboss.security category is your next step.