For JAAS this is achieved by caching keyed on the combination of the username and the password, once we switch to the CallbackHandler approach this is no longer applicable as there is often not a single username/credential combination - instead a protocol specific exchange is used to establish the identity of the remote user.

Any cache would also potentially require: -

• Predicable eviction.
• Management Operations e.g. clear entire cache, remove single entries etc...
• Separation of caches for authenticiation data and additional data loaded for authorization purposes.