Are you using FORM or BASIC web authentication? Session.invalidate() only works with FORM login.
When deleting users from the database, you'll need to flush the authentication cache. Search the forum for details on that.
what do you mean with deleting users from the database?
Do I have to delete the proncipals from the subject?
If yes is it safe to get the subject using SecurityAssociation.getSubject()?
I have the same problem.
I'm trying to code a logout function for my web application.
That is, I have a FORM authentication and when I have a user validated, I want to code a logout function.
But if I try to make a Session.invalidate() after a user has been validated, it doesn't work, because if I execute the next code:
request.getSession().invalidate(); System.out.println("The user is authenticated after session.invalidate():"); System.out.println( request.getUserPrincipal()!=null?"YES":"NO");
the standard output show me "YES".
Also, I tried a flush of the cache instead a session.invalidate(), but I think this is not the solution for this issue.
Thanks in adavance for any kind of comment.