Although this is a solution, but caching private credentials seems not appropriate. The JAAS specification does not enforce not caching private credentials, but it argues that it is better to clean the private credentials. So, the developer should have a chance to specify such a behavior when the application is configured, but not programmaticly. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4173302#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...