I'm using Shiro together with the http service in Apache Karaf which in turn uses Jetty under the hood. I use Shiro 1.1.
I've created my own AuthorizingRealm since we have a legacy system that I redirect the authentication to. This seems to work and I can get the currently logged in user as follows: Subject subject = SecurityUtils.getSubject(); When calling the "isAuthenticated" method I can see that the user is logged in. However, on each call from the web browser to my web application, a new authentication is being made. This means that I can't really log out the user neither explicitly nor by session timeout. If I call subject.logout() I can see that the user is indeed logged out since "isAuthenticated" then returns false. But on the next request from the web browser the user is authenticated again and a new session is created. If I restart the web browser then I have to login again but as long as the web browser is running the user seems to be automatically re-authenticated. I use basic authentication and the behaviour is the same in both Chrome and Firefox. Obviously I haven't understood how these things work. Can anyone explain to me how I can log out a user both explicitly and via session timeout? /Bengt
