I realize I probably can't programmatically update the principal's credentials. It appears to me that JBoss security immediately becomes aware of the password change in the underlying database and attempts to reauthenticate the principal as soon as an EJB method is invoked, which fails because the principal's password has become stale. With this in mind it appears that I can't even clean up state after changing the password because I've got to immediately end the session before any EJB methods are invoked! There is some state to clean up including removing EJBs prior to killing the session that I would like to do...
So, how are others approaching implementing the change password feature? I'm not seeing anything in the JEE or EJB spec. on how the container should treat an underlying password change in the database, and Google searches aren't returning any hits.