Hi all

I have a question / problem with a custom LoginModule; the scenario is like this:

My custom LoginModule extends from HttpServletRequestLoginModule; i am implementing all the relevant methods (login, abort, logout, commit, etc); i don't think the code in that loginModule is relevant, but if it is needed i can post it

the login-config.xml looks like this:

<application-policy name="SpyralSecurityPolicy">
        <authentication>
            <login-module code="com.carrasco.internet.security.JSFInternetLoginModule" flag="required">
                <module-option name="wsUrl">http://someUrl</module-option>
            </login-module>
        </authentication>
    </application-policy>

the jboss-web.xml looks like this:

<jboss-web>
    <context-root>/spyralSecurity</context-root>
    <security-domain flushOnSessionInvalidation="true">
        java:/jaas/SpyralSecurityPolicy
    </security-domain>
</jboss-web>

and the web.xml looks like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SpyralSecurityApplication</web-resource-name>
        <url-pattern>/pages/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/login-error.jsp</form-error-page>
    </form-login-config>
</login-config>

in my application i have a logout action that does this:

HttpServletRequest request = (HttpServletRequest) FacesContext
                .getCurrentInstance().getExternalContext().getRequest();
request.getSession().invalidate();

As far as i know, this should be sufficient to make a logout and clear the LoginCredentials cache, but in the security log i have found this:

2010-10-21 16:24:02,238 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] securityDomain=SpyralSecurityPolicy
2010-10-21 16:24:02,241 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated Principal=com.carrasco.internet.security.UsuarioInternet@10ccf09
2010-10-21 16:24:02,241 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Before flush of authentication cache::
2010-10-21 16:24:02,245 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added SpyralSecurityPolicy, org.jboss.security.plugins.SecurityDomainContext@19c92e2 to map
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=admin
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] After flush of authentication cache::
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Number of authenticated principals remaining in cache=1
2010-10-21 16:24:02,245 TRACE [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Authenticated principal in cache=admin

as you see, before the flush of authentication cache there is one authenticated principal, and after the flush of the authentication cache, there is still 1 authenticated principal

am i doing something wrong or missing something ?? is this a bug in the jboss 5.1.0.GA server ??

please help, this is very urgent