With my colleague we were implementing Tomcat-JBossAS remote login module and we found that in Identity.java is missing important piece of code:
loginContext.logout();
So if the user is logging out, than loginContext.logout is not called.
It seems like bug in Seam (2.1.2.CR1).
Here is patch for Identity.java:
public void unAuthenticate()
{
principal = null;
subject = new Subject();
credentials.clear();
if(loginContext != null) {
try {
loginContext.logout();
}
catch(LoginException e) {
log.error("Logout failed", e);
}
finally {
loginContext = null;
}
}
}
private transient LoginContext loginContext;
protected LoginContext getLoginContext() throws LoginException
{
if(getJaasConfigName() == null)
loginContext = new LoginContext(Configuration.DEFAULT_JAAS_CONFIG_NAME, getSubject(), credentials.createCallbackHandler(), Configuration.instance());
else
loginContext = new LoginContext(getJaasConfigName(), getSubject(), credentials.createCallbackHandler());
return loginContext;
}