Hi,

I've read the previous posts on logout but I am still confused - sorry, but I am hoping someone can point me in the right direction.

I am using JBoss 2.4.4 with Tomcat and FORM based authentication. I have my own login module that extends UsernamePasswordLoginModule and retrieves authentication data from a RDBMS. Login works fine. On logout I am currently invalidating the session from my JSP page and that works okay - the user has to reauthenticate when next accessing the page.

So now to the problem. In the RDBS an administrator can mark an account as locked - meaning the user should be barred access. In the login module I can detect this locked state and throw a LoginException. But if the user has already logged in at some point, then their authentication details are cached by JBoss and they can still login. I have to bounce Jboss to ensure the user cannot log in.

So my thought was that when the user logs out, I need to call logout() on the users LoginContext to flush their info from the cache. Then on the next login things will work properly. But how do I get hold of the LoginContext for the user after the user has logged in on another JSP page? Can I do this from the logout JSP page ? Do I need to write an EJB to do it ? Is it in fact even possible ? Can I somehow put the LoginContext in the users session ? If so how do I get the LoginContext to start with to put in the session ?

All hints and tips gratefully received.

Doug