Ok, so I recognize that while using BASIC auth, the browser controls the login session, and nothing on the server side can logout a "BASIC" authenticated client.
Just FYI, I'm calling a JBoss webservice from an Adobe FLEX Flash application running in the browser.
So, I turned BASIC auth OFF on my webservices EJB endpoint, and am now using WSSE UsernameToken to authenticate the Flash client to my JSR 181 EJB endpoint.
However, for whatever reason, if I make some WS calls as User A, then make some WS calls as User B (essentially, changing the WSSE username/password tokens), Jboss still thinks I'm user A.
I did some digging on my JBoss server (DEBUG mode), and noticed that the WSSE client calls are happening via Http POST. Since my username is being "remembered" by the JBoss server, there must be some sort of session getting established? (This seems to be functioning a lot like FORM-based authentication). In a typical servlet, I could simply "logout" by invalidating the session. HOW does one do that with an EJB? I don't see anyway to get access to the Session....so I don't know how to invalidate it.
I solved my problem. As it turns out, I had a bug in my code on the Flex side that was adding a WSSE header every time I logged out/logged in (but never removing the headers, and re-using the WebService object used to make calls to the JBossWS). So, while I did have the new credentials to login as, I still had the old credentials in the Webservice object, which were getting passed to JBoss.
So, after correcting for this error on my part, I can now send multiple WS requests as different users without shutting down my browser, exiting the Flash client, or "invalidating" anything on the server side.
Apparently, all JbossWS calls are stateless. (Ahem).