hi, I have configed http over jndi and the login process works perfectly. Unfortunately the logout does not work. the codes for logout are very simple: ctx.close(); loginContext.logout(); The problem is that use can login use any arbitrary user and password until shuting down the java VM. I have tested on jboss 3.0.8 and 3.2, same result. In fact, there is nothing in common for the first and second login. After look into SecurityAssociationHandler, I found user name and password were fetched for the second login. Although they are invalid, the login is successful. Can any one give me a hint? Are the logout codes wrong? Thanks a lot!