Calling logout() on your LoginModule is only possible if you do a JAAS login with a handle to your CallbackHandler and LoginContext. In the case of web applications the container does this Jaas Login eventhough you have your LoginModule. The container has the instance of the Callback Handler & passes that as arguments to your initialize()method. So calling logout() method on your CustomLoginModule is ruled out when do a web based login...There is no way you can do it from your browser.... Next question is :- Are you certain that the Principal is not cleared from our session... Check it as follows after session time out:- | Principal p = request.getPrincipal() If the Principal is null then it works else we have an issue......I tried it with jboss 5 Beta 3 & it works...You are redirected to the Login Page again & asked to authenticate View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4124977#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...