Anil: By cache are you refering to the cache maintained by JaasSecurityManagerService? ... configured through (in JBossAS 4.0.4GA) /deploy/security-service.xml? .. with the default configuration: | !-- JAAS security manager and realm mapping --> | <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"> | <attribute name="ServerMode">true</attribute> | <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute> | <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute> | <attribute name="DefaultCacheTimeout">0</attribute> | <attribute name="DefaultCacheResolution">0</attribute> | </mbean> | The reason I ask is that we are encountering the same issue with a custom login module that extends AbstractServerLoginModule implementing only initialize, and login. Thus allowing the super's commit and logout to handle things. -- James View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4013199#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...