Do a HttpSession.invalidate() to enable jboss clear the cached Principal & then ask the user to re-login with new credentials
Although this is a solution, but caching private credentials seems not appropriate. The JAAS specification does not enforce not caching private credentials, but it argues that it is better to clean the private credentials. So, the developer should have a chance to specify such a behavior when the application is configured, but not programmaticly.
You have to edit the conf/jboss-service.xml and set attribute DefaultCacheTimeout to 0
bye bye Erasmo Emilio