you need to traverse the interceptor in order to have the signout action be taken in account as the signout is done when the method call goes back in the interceptor chain. (that's why there is a localSignOut, set when the interceptors is traversed)
maybe it's possible to extract code to make this happen without that but now I don't have time to look at it :-(
This is to logout someone from the portal?
What happened to session.invalidate()?
seems like session.invalidate() (for container-managed authentication) is the simplest way to go.
session invalidate does not invalidate properly a user.
resp.signOut() invalidate all the session that a user has used.