Hi,

I just came across a situation in which the sessionContext.getCallerPrincipal() returns null because the principal was removed from the subject during logout, which is OK. The funny thing is that, because AbstractServerLoginModule is not removing any added roles, the RBAC still lets the 'null' caller principal call the method annotated with @RolesAllowed. Why is AbstractServerLoginModule not removing the added roles while removing the principal from the subject?

Frank.