If you are interested, I have an app where this is all working. I use FormAuthentication, and have a logout.jsp that we use for logging out: <% // get the current subject and its context within the security realm final javax.security.auth.Subject subject = (javax.security.auth.Subject) new javax.naming.InitialContext().lookup("java:comp/env/security/subject"); final javax.security.auth.login.LoginContext context = new javax.security.auth.login.LoginContext("security.realm", subject); // logout the context and invalidate the session context.logout(); request.getSession().invalidate(); // redirect back to the default page for the context path response.sendRedirect(request.getContextPath() + "/"); %> Hope this helps. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4040058#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...