You probably aren't using the
J2EE standard security system them. Things like this are why inventing your own security system is a Bad Idea.
The user's browser cache belongs to the user and is managed by the user's browser. Server-side code cannot clear it. And, in fact, server-supplied cache directives are hints and not commands. The browser may or may not honor them.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.