You would have to create your own client/server login module pairs that allowed for this. The default JBoss login mechanism does not pass logout calls to the server as authentication is stateless.
To accomplish this I had to add a logout method to the SecurityManager, and insert another Interceptor in the StatelessSessionContainer which only looks for create calls on a "LogoutHome". (The Logout Bean has no methods in its RemoteInterface, the LogoutHome has only create().) When the interceptor intercepts a call to LogoutHome.create(), it calls SecurityManager.logout(), which calls LoginContext.logout(), which does the login module logouts.
Now I have to add a non-default cache policy to the SecurityManager, since the default doesn't maintain state.
Scott, I really like what you've done. But your explanations are so windy!
Adding container interceptors is not the best way to do this as this only works for the EJB types for which you change the interceptor configurations. The security manager is an independent entity that is accessible from JNDI via the security domain name so the simplest approach is to create a logout mbean that exposes an RMI interface for use by your client side login module. The mbean would house the cache policy used by the security manager and simply do the logout without having to deal with the security manager. No changes to the security manager would be required.
Thanks. I think I understand what you're saying.