Invalidating the session does not remove the request principal from the current request.
And how I could remove the request principal?
You can't short of rewritting the servlet request. Why should the principal be removed from the current request?
The issue is that my application is made with Struts and Tiles, and the menu tile (in summary, a JSP page) is composed by a public part and another private part that only can be accesed when a validated user (I've made the validation with a login form) has been logged.
The implementation of the menu tile is more or less like above code.
I've used Struts logic tags.
<logic:notPresent role="*"> ....... Public menu components (login access included)..... </logic:notPresent> <logic:present role="*"> ......... Private menu components for a validated user (logout access included) ............. </logic:present>
Note: The '*' can be substituted by a concrete role as needed, of course.
On the other hand, there are more ways of implementing this functionality, but I thought that this was the cleanest way to do this.
As I mentioned before, in the previous topics, the logout functionality is implemented by session.invalidate(), but that action doesn't remove the request's user principal, so the first time the logout is called, the private menu part keeps showed and the public menu part remains hidden. But, the second time the logout function is called, then, the user principal doesn't exist and the public part of the menu is showed.
If you tell me that I can not remove the user principal from the request (by the way, it's logical), then I suppose I'll have to think another implementation of the menu tile.
Thanks a lot for your comments.
Similar issue here with 4.0.1sp1...Any plans?
Note: Version 3.0.6 - the principal is removed on logout...
There is no spec defined behavior that indicates that request principal should change when the session is invalidated. In general, the request principal has nothing to do with the session. Only FORM auth has any association between the authenticated user and the session.