Problem:
When the user does not close the browser and re-logins into the web applications sometimes on JBoss will login the user as the previous user.

Configuration:
We are using Jboss 4.0.2, we have 2 nodes in the cluster, we are using a custom logon module (we think the problem is before this because our logon module is not being called when the incorrect user is logged in).
We are using basic auth, however we are using a security device in front of our web application that performs single sign-on. So the user is not actually present with the basic auth login box, they login to the security device and it single signs-on to web application running on Jboss.

Scenario:
The user logins to the security device and goes to our menu system, when the user clicks a link, it launches an application running on Jboss. The first time everything is fine. Now the user logs out of the security device. Goes back to the logon page without closing the browser. Logins with another user, goes to the menu page, clicks on the web application running on Jboss and sometimes it will login as the pervious user.

What we have learned from some testing and debugging:
First we decided to check the authorization header parameter against the request.getRemoteUser and request.getUserPrinciple. They don't match, that authorization header parameter is always right, it has the information for the new user that logged in. So we don't think the problem is with our security device, because it is sending down the correct information to Jboss in the header.

We also put breakpoints all over the Jboss framework trying to figure out where things were going wrong.
Here is what we deduced, when it works correctly it runs through the login framework, and when it doesn't it jumps right into the web application. We are using Struts so it jumps right into our Action class.

Here is a list of locations where we put break points, we were trying to figure out where the decision is being made to skip the login framework, we were unable to:

JBossSecurityMgrRealm [line: 209] - authenticate(String, String)
JaasSecurityManager [line: 468] - defaultLogin(Principal, Object)
JaasSecurityManager [line: 591] - getCacheInfo(Principal, boolean)
JaccAuthorizationRealm [line: 139] - checkSecurityAssociation(Permission, Principal)
LoginInitialContextFactory [line: 45] - getInitialContext(Hashtable)
ProxyLoginModule [line: 80] - login()
SystemAuthenticator [line: 77] - startService()
UsernamePasswordLoginModule [line: 77] - initialize(Subject, CallbackHandler, Map, Map)
UsernamePasswordLoginModule [line: 139] - login()

So if anybody has any suggestions on why this might be happening or where to look to try to figure out why this is happening that would be greatly appreciated.

thanks,
dipen