We have replaced JaasSecurityManager with our own version that synchronizes on principal-keyed locks. It looks safe enough, and performance is greatly improved. Its trivial code, but I can submit it if anyone wants it.
My previous post seems to have been lost. Improving the concurrency of the JaasSecurityManager.isValid in on my todo list. Post your version of the JaasSecurityManager to Patches section on the JBoss/Sourceforge project site here:
and I'll look at incorporating the changes if they look ok.