I can't see exactly the details of how GWT get the logged user information (the "principal").
but obviously, the GWT application does not know that the Principal is not anymore "out of use".
two way :
- at each request, the GWT re get the Principal (and may all other login information)
- when the session is invalidate(), a event is sent to the GWT, so it also invalidate the user informations.
globally : look the details of how the GWT get the userPrincipal from the session, and see why it keeps it after the log out.
hope it helps...
Thanks for the replay, per my testing it indicated the user still was able to revisit the GWT based application even the session == null && the principal == null.
So my question is:
Can JBoss container enforce the login after the logout in the GWT based app? if is not, how to enforce the login in GWT are there any practical approach?
I took a further look, the JBoss did enforce the login again after the user logout. however, the content of the login page displayed to the user instead of the real login pages. this is tested in the GWT based application. Anybody saw this issues before, please advise. thanks