I have extended the DatabaseServerLoginModule with my own custom LoginModule....it works fine.
One thing that I'm trying to do and can't get to work is providing an interface that allows an 'administrator' to delete a user's account. When this occurs, I call flushAuthenticationCache via JMX and through the JMX console I can see that the users's credentials have been removed.
The problem I've noticed is that if the user is logged in when I delete his account, he is still allowed to access the application via his browser. I thought that the flushAuthenticationCache with that user's name would force the LoginContext to be called again whenever the user attempts to access the application again. Is this correct?
Is there a way to prevent the user from accessing the application other than the methods I describe?
BTW, I'm using JBoss 4.0.2.