THX for the reply The problem is more complex, we do a password change and want the current session to use the new password for any EJB access call --> nipunbatra indeed this is a solution but we want to avoid an authorization call (remote in our case) for each EJB access, that's why we enable the caching --> ecoray We do this flush but the problem is when the flush is done and you do a logout the EJB destroy methods are called and because the cache is flushed the applic wants to reauthenticate for EJB access but he uses the password before the change and causes several attempts to login with the user which causes the user to block (if you login 3 times with different password our login module blocks the user) I tried the SecurityAssociaton.setCredential but at next login the old password is still ini the securityassociation object, so it seems more than one securityassociation object is stored in the cache View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024175#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...