"piotr.koper" wrote : I think JBoss stores password in cache. Try to clear cache after changing password. | | piotr.koper Thanks for the response. After reading different articles, web-logs and bug descriptions I learned Tomcat is the one that stores password in http session. To clear the stored password you can write a valve for tomcat to do so or if you are running on Jboss 4.2.2 simply use the new WebAuthentication class to re-authenticate the user with new password programmatically. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4153404#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...