After having authenticated via JASPIC, calling HttpServletRequest#logout and then requesting the caller/user principal (all within the same request), WildFly 8.2 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.

Cross-checking with the RI (GlassFish 4.0/4.1) reveals that there the EJB context is indeed cleared out.

As a workaround, calling the following code after logout (e.g. in an Undertow event handler for SecurityNotifications) will clear the EJB context, but this code should of course not be needed to be called by user apps:

SecurityContextAssociation.clearSecurityContext();
SecurityRolesAssociation.setSecurityRoles(null);

A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java

For WildFly 8.2 this will print:

web username: test
EJB username: test
web username after logout: null
EJB username after logout: test

For GlassFish 4.0/4.1 this will print:

web username: test
EJB username: test
web username after logout: null
EJB username after logout: ANONYMOUS