With authorization the idea is that you assign EJB method permissions to groups. Your system administrator can then create new users and place them into those groups. No need to redeploy your EJB's because the groups are stable.
In the deployment descriptor of your EJB use the <method-permission> tag to tell the server which roles are allowed to call which methods. For the roles you specify groups and not specific users. You then map the groups specified in the <method-permission> tag to real groups/principals you created in your J2EE server. This mapping is not specified in the J2EE spec so how this mapping is done, depends on the specific server you are using. In Bea WebLogic the mapping is done in the WebLogic specific deployment descriptor (weblogic.xml).
As for the external cache implementation. The J2EE spec. has some demands for the bean developer about not interfering with the container. Some of those demands: No messing about with the classloaders, do not use native libraries, do not use static variables. In cases where we were asked to break those demands, we created a separate JVM running the law-breaking code. We connect to the other JVM using RMI.
Most caching mechanisms are implemented using some Singleton pattern. (static variable which is also a nono). Run the cache in a separate JVM and connect via RMI. Do NOT implement the cache yourself but use some framework like JCache. The framework will handle the multiple calls.
hope this helps...