I?ve developed a portlet-based application on JBoss Portal Version 2.6 using container-managed authentication/security. For login to this application, I?m using the LdapExtLoginModule, and using FORM based authentication (using j_security_check). This works properly. I successfully authenticate against my LDAP server. The problem is when I logout. I perform a logout via a PortletSession.invalidate, however, I still can see the principal and roles attached to subsequent requests (via PortletRequest.getUserPrincipal(), and isUserInRole()). I can traverse to protected resources despite the fact that my session should have been invalidated; I am not forwarded to my configured login page. Reviewing the server.log, I am certain my session is being invalidated, and my LdapExtLoginModule.logout for my principal is being called. For logout, besides invalidating the portlet session, I have also tried calling the JaasSecurityManager.flushAuthenticationCache to attempt to remove my principal from the cache. Additionally, I have set the flushOnSessionInvalidation to true in my jboss-web.xml file. Are there some known issues in this area? This seems to be a basic/common operation that should work. Any help greatly appreciated! View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992675#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...