Arjan t created SECURITY-876: -------------------------------- Summary: Web initiated logout doesn't clear authenticated identity in EJB Key: SECURITY-876 URL: https://issues.jboss.org/browse/SECURITY-876 Project: PicketBox Issue Type: Bug Reporter: Arjan t Assignee: Stefan Guilhen After having authenticated via JASPIC, calling {{HttpServletRequest#logout}} and then requesting the caller/user principal (all within the same request), WildFly 8.2 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context. Cross-checking with the RI (GlassFish 4.0/4.1) reveals that there the EJB context is indeed cleared out. As a workaround, calling the following code after logout (e.g. in an Undertow event handler for SecurityNotifications) will clear the EJB context, but this code should of course not be needed to be called by user apps: {code:java} SecurityContextAssociation.clearSecurityContext(); SecurityRolesAssociation.setSecurityRoles(null); {code} A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-prop... For WildFly 8.2 this will print: {noformat} web username: test EJB username: test web username after logout: null EJB username after logout: test {noformat} For GlassFish 4.0/4.1 this will print: {noformat} web username: test EJB username: test web username after logout: null EJB username after logout: ANONYMOUS {noformat} -- This message was sent by Atlassian JIRA (v6.3.11#6341)