I think I've found the root of my problem. Basic Authentication. Not many references talk about it, but it would appear that one of the major architectural differences between basic, and form based authentication is that basic authentication has no concept of a logged in user. The browser sends the credentials every time you access a protected page. It's essentially impossible to "logout" a user from a website using basic authentication because they aren't logged in. The only way to make a webpage inaccessible to a user with a site using basic authentication is to get their browser to throw away the credentials. That means restarting the browser, or clearing out cookies. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4040221#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...