your portlet needs to extend JBossPortlet , which will give you the JBossActionResponse as an argument in the processAction method. This response has the

 public void signOut()

you need to do that in an processAction() of a portlet.

you can write a portlet for that and place it into the header region. turn off decoration for that portlet if you want (examples for that are in the theme test page in the default portal (in 2.2)), so that you see only the button, and none of the title or edit/view/help links , etc.

In that case, every page that wants to use this feature needs to define your logout portlet as one of the portlets on the page, and it needs to assign it to a region that your layout actually renders.

I've got the signOut() method being called, and it is effectively disabling the JAAS login/session that we are using (logging the user out).

The problem that I'm seeing, however, is that it is not destroying the session on the server. Which means that if the user does not close their browser and logs back in with a different id, the session is brought back and contains information form the previous login.

This is a HUGE problem. Microsoft was blasted for a similar problem in IIS by the security community a while back.

Is there a good way to completely clear out/destroy all sessions associated with a given user during the logout process (I have been lead to understand that each portlet is given its own "session" as it exists as an independent web application)?

can you provide a test case ?

Unfortunately, the codebase that we're working with right now is rather large (and we're under a huge crunch to push the product to testing).

Try the following:

1. Create a Portlet using Apache's MyFaces/JSF.

2. Define a managed bean with session scope in your faces-config.xml:
<faces-config>
<managed-bean>
<managed-bean-name>myBean</managed-bean-name>
<managed-bean-class>com.myco.MyBean</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
</faces-config>

3. Inside of that managed bean, create an instance variable that is instantiated and populated with information out of your login (say, your username -- FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName())

Make sure that this variable is only instantiated once for the session. Something like the following:
package com.myco.MyBean;

public class MyBean {

private String myName;

public String getMyName() {
if (myName == null) {
myName = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();
}
return myName;
}

}

4. Login as user 1. Go to a JSF page which has the following in it:
<h:outputText value="#{myBean.myName}" />

5. Logout of your session.

6. Without restarting your browser (so that the same sessionid is communicated to the server), login as a different user. Go to the same JSF page as step 4....you should see the information from the first login.

what is your jboss portal version ?

We're running JBoss AS 4.03SP1 and running JBoss Portal 2.01RC3

I should probably mention as well: we're running JBoss AS with EJB3 support enabled.

You are right, the feature is developed but there is one interceptor missing in the portlet stack which is the session tracker interceptor.

what you should do is :

1/ edit jboss-portal.sar/conf/standardjboss-portlet.xml
2/ in the portlet configuration add the interceptor :

 <interceptor>
 <interceptor-class>org.jboss.portal.server.aspects.component.ContextTrackerInterceptor</interceptor-class>
 </interceptor>

Umm...what version of Portal are you running?

I don't show any ValveInterceptor in my copy of standardjboss-portlet.xml, and receive the following during startup if I insert the interceptor you defined:

No ClassLoaders found for: org.jboss.portal.server.aspects.component.ContextTrackerInterceptor

Is there a new JAR or other library file that I need to pull down and add into the server lib directory?

actually the valve interceptor only exist in 2.2

Is there any way to make the logout work properly under 2.0? We've built our project around that and I'd rather get things stabilized under 2.0 before we consider migrating to 2.2 (though I'm sure that will happen in the not-too-distant future).