This is a general problem when one form of credential is converted into another and you don't have the information to reauthenticate, or don't want to. SRP has the same issue as does DIGEST auth in a cluster.
Stefan has taken charge of getting us a clustered cache policy. He will discuss it here soon.
I've taken a look in the jboss-cache project and it seemed to me that it suits our need of a cluster aware security cache. Besides managing the consistency of cache state in all cluster nodes, it allows for a number of configurations, such as replication messages mode (sync/async) and eviction policies (LRU, MRU, FIFO, etc).
Currently, the JaasSecurityManagerService instantiates a TimedCachePolicy by default. If we were to make the cache policy configurable, we would have to make some arrangements (like, for example, creating a new CachePolicy subclass to handle clustered environments and allowing the user to define which policy is to be used). On the other hand, maybe it would be possible to simply redefine the cache solution used by JaasSecurityManager to use solely the cluster-aware policy (since TreeCache can also be used in non-clustered environments).
In any case, the time-out behaviour of the TimedCachePolicy could be achieved by registering eviction policies that would cause the nodes to be evicted after a configurable amout of time. A TreeCacheListener would then register for eviction events and cause the principal to be logged out upon reception of such an event.
Stefan, u r on the right track. The cluster aware cache policy should not be the default. Only customers needing it will configure it.
I will take a more detailed look at your description and get back to you.
Scott has long time ago written a CachePolicy that we probably can reuse:
It is under the cluster module. I am not sure if the HA code in AS is still healthy (I am presuming it is).
In this case, it will only be a matter of providing an ObjectModelFactory to bind to DistributedTimedCachePolicy.
The default cache object factory is at the end of JaasSecurityManagerService class.