I only began working with JBoss recently and am trying to implement JAAS security. My configuration involves one JBoss instance running as the web server and another JBoss instance running as the application server containing the EJBs. When logging out of the web application, I preform a session.invalidate() in order for the authentication on the web layer to be flushed (along with flushOnSessionInvalidation="true" in jboss-web.xml). However, this does not seem to clear the authentication on the application server. Subsequent log-ins into the web application causes the appropriate LoginModule to be called on the web layer, but does not reauthenticate on the application layer.
Any help on how to clear the authentication on the EJB layer when logging out of the web layer is very much appreciated.
We have a testcase for exactly this scenario, so jboss version and more than it does not work is required.