We have an web application running on JBoss 3.2.3 which authenticates against a LDAP server using form based authentication and JAAS.
There is a custom login module which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule to achieve the same and has been configured using login-config.xml.
Everything works fine except when we encounter the below scenario.
a) Login to the application as user "A"
b) Using the Browser back button reach the login screen again (i.e without logging out )
c) Now Login as user "B". (in the same browser session)
d) User "B" now has the principals of user "A" i.e.
Subject subj = SecurityAssociation.getSubject();
Your login form needs to detect that there is already a authenticated user and simply not display the login form.