Description of problem: By default (cache-type="default"), HttpServletRequest.logout() invokes JAAS login module's logout(). Removing cache-type attribute from <security-domain/>, HttpServletRequest.logout() does not invoke JAAS login module's logout(). Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The issue here is that JBossGenericPrincipal is never provided with LoginContext. Hence GenericPrincipal.logout() cannot call a logout on it. If cached the LoginContext is stored within DomainInfo and logout is executed within a flushCache method invocation.
Verified in 6.4.0.DR11.