Disable Tomcat Caching Principal

Tomcat caches the Principal (GenericPrincipal) in the catalina request object. If you want to disable this, such that every request goes through authentication and authorization, thereby providing you ability to refresh roles in a session, you can do the following:

<Context>
<Valve
className="org.apache.catalina.authenticator.FormAuthenticator"
cache="false" />
</Context>

Place this in a context.xml in META-INF of your war file in stand alone tomcat or in WEB-INF of JBoss.

The above works for FORM authentication.

Remember, performance will be slow.