I've just configured a security enviroment using JAAS+JBOSS. It works well. I've created a login module stack with a login module dummy that is only used for log and a org.jboss.security.auth.spi.UsersRolesLoginModule that effectively execute the authentication.
Using a simple web app (only some JSPs and a session listener) i can login and logout without problems. The login module dummy registers the access for each method called in the login process and i can see it on logs. I can use it with SSO and it works fine.
When i execute the logout in the web app, that is, invalidate() the session, i can see on the log that the logout() method has been executed, but when the user session expires it doesn't happen. The logout() method is only executed on the next time that the same user try to login.
I saw that a LoginContext can only authenticate one Subject per time, this LoginContext is responsible to call the login module. When the session expires the LoginContext "dies" with this session and is it because of this the logout() method call doesn't happen?
Is there a way to force a call to login module to guarantee that the logout() method will be called?
Can someone help me?