ClusteredSingleSignOn doesn't remove ssoId from sso cluster on Request.logout

Edit standalone-ha.xml, replace: <subsystem xmlns= "urn:jboss:domain:web:1.2" default -virtual-server= " default -host" native = " false " > <connector name= "http" protocol= "HTTP/1.1" scheme= "http" socket-binding= "http" /> <connector name= "ajp" protocol= "AJP/1.3" scheme= "http" socket-binding= "ajp" /> <virtual-server name= " default -host" enable-welcome-root= " true " > <alias name= "localhost" /> <alias name= "example.com" /> </virtual-server> </subsystem> with: <subsystem xmlns= "urn:jboss:domain:web:1.2" default -virtual-server= " default -host" native = " false " > <connector name= "http" protocol= "HTTP/1.1" scheme= "http" socket-binding= "http" /> <connector name= "ajp" protocol= "AJP/1.3" scheme= "http" socket-binding= "ajp" /> <virtual-server name= " default -host" enable-welcome-root= " true " > <alias name= "localhost" /> <alias name= "example.com" /> <sso cache-container= "web" cache-name= "sso" reauthenticate= " false " /> </virtual-server> </subsystem> Add a application user that belongs to group "guest" with "bin/adduser.sh" Start the server with "bin/standalone.sh --server-config=standalone-ha.xml". Deploy the attached war, or build from https://github.com/stianst/jboss-as-quickstart/tree/clustered_sso_test/servlet-security Open http://localhost:8080/jboss-as-servlet-security/SecuredServlet and login (username is first box, password second) Now press "logout" (this calls Request.logout). You will now see "Logged out". Refresh the page and observer that the user has been reauthenticated from ssoId in the SSO cluster. The workaround has been added to this example as well, press "invalidate" instead of "logout" (this calls Session.invalidate before calling Request.logout).