From Slack discussion:

Where realms can identify if an identity exists we have measures in place to avoid creating lots of entries in the cache so a remote attacker can not use random usernames to fill our cache.

But realms like the JAAS realm don't know if an identity exist so always return true.

Maybe we will need to set a size limit on the cache but the risk is an attacker could then cause the older entries to be evicted.

Another option is once the cache is above a certain size reject all authentication attempts until the size drops due to timeouts. Maybe slightly DOS behaviour but if the server is under that much attack maybe it is justified. That does feel a better than leaving an option that allows an attacker to influence cache eviction.

I think I will default to about 1,000 and add a config option, we can let them set a negative value if they want unlimited and document the risks.