We have some web/webservice applications whose users are unhappy that login information is cached because it can (in certain situations) allow for brute force attempts to guess the password. Our security environment utilizes JPAM/PAM-based account locking rules + LDAP, so this means that by locking the account via JPAM/PAM when multiple bad credential combinations are entered repetitively, we have to wait for the cache to timeout for the account to really be "locked".
Would it be feasible (a good idea) to write a LoginModule that by being first in the stack for a given domain would only drop users from the cache (using the JMX interface) if a LoginModule further down the stack rejected the supplied credentials? That would seemingly allow us to enjoy the benefits of caching while letting the account locking rules work as expected.
Is this a proper approach to the problem, or might there be a better way to go about this? It seems a bit untidy when this is almost a caching function rather than a LoginModule type of use case, but in the end it seems to resolve the issue.