There is a similar problem in using the TimedCachePolicy as the credential cache in the JaasSecurityManager when using SRP. The TimedCachePolicy only removes entries when an existing entry is replaced by a new one for the same Principal, but the SRPPrincipal object will differ every time because of the sessionID. Hence expired credentials will remain behind in the cache indefinitely.
The JaasSecurityManagerService would need a flushExpired(String domain) op to clear the sessions, or an alternate SRPServerListener implementation that flushed the principal on the closedUserSession(SRPSessionKey) event.
Thanks for the replies. I'm probably a bit paranoid about "close" not being guaranteed to always happen for sessions in general, so I made an extended TimedCachePolicy class that regularly removes expired sessions in its TimerTask. Of course this requires synchronization with threads that insert and get entries, so it will slow the cache down somewhat.
That's all from me on this subject for now. Just want to let you know that I enjoy working with JBoss and I find the code easy to work with. Thanks for a great product.