authentication not cleared after logout? logout, access, admin, where

amy

I am facing an issue where a user logs into an application and has a small set of GrantedAuthorities.  The user logs out, then an admin user grants them an additional authority (say, ROLE_POWERUSER) to gain access to new features.  The user logs back in and our webapp code recognizes the new GrantedAuthority, but Spring Security seems to hold onto the Authentication from the previous session.  I witness debug statements like the following:Code:
DEBUG 2009-05-14 13:11:38,749 [from-8080-2] org..security.intercept.AbstractSecurityInterceptor: Secure object: FilterInvocation: ucl: /spring/homePage-flow?execution=e1s1; ConfigAttributes: [ROLE_USER]
DEBUG 2009-05-14 13:11:38,749 [from-8080-2] org..security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org..security.providers.UsernamePasswordAuthenticationToken@8d32d9c5: Principal: org..security.userdetails.User@fe09f800: Username: testUser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org..security.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: 03676F291DA7265A6570871BE34F8BD4; Granted Authorities: ROLE_USER
DEBUG 2009-05-14 13:11:38,749 [from-8080-2] org..security.intercept.AbstractSecurityInterceptor: Authorization successful
DEBUG 2009-05-14 13:11:38,749 [from-8080-2] org..security.intercept.AbstractSecurityInterceptor: RunAsManager did not change Authentication object
So, it seems that the default LogoutFilter and associated LogoutHandlers do not remove the Authentication from within Spring and/or expire the users credentials.  Note that at the point this appears in the log, the user has been granted a new authority, but it's not picked up by Spring because the previous authentication seems to have been cached.

Here is our security config for the webapp:Code:
lt;s:from auto-config=quot;falsequot; access-denied-page=quot;/403.jspquot;gt;
lt;s:anonymous /gt;
lt;s:concurrent-session-control max-sessions=quot;1quot;/gt;
lt;s:form-login login-page=quot;/login.facesquot;
authentication-failure-ucl=quot;/login.faces?error=1quot;
default-target-ucl=quot;/spring/homePage-flowquot; /gt;
lt;s:logout logout-success-ucl=quot;/login.faces?msg=logout.msgquot; invalidate-session=quot;truequot;/gt;
lt;s:intercept-ucl pattern=quot;/*.cssquot; filters=quot;nonequot; /gt;
lt;s:intercept-ucl pattern=quot;/*.jsquot; filters=quot;nonequot; /gt;
lt;s:intercept-ucl pattern=quot;/login.faces*quot; access=quot;ROLE_ANONYMOUSquot; /gt;
lt;s:intercept-ucl pattern=quot;/spring/admin/**quot; access=quot;ROLE_ADMINquot; /gt;
lt;s:intercept-ucl pattern=quot;/spring/pwr/**quot; access=quot;ROLE_POWERUSERquot; /gt;
lt;s:intercept-ucl pattern=quot;/spring/**quot; access=quot;ROLE_USERquot; /gt;
lt;/s:fromgt;
We are forwarding users to /j_spring_security_logout for this purpose.  I have done quite a bit of searching in the docs and forums, but have not found out how I can force Spring to clear the previously authenticated user.  I am fairly certain I am missing something simple.

So, I have the following questions:should Spring clear the authenticated user when they logout?
And, if the user logs in again right away, shouldn't Spring do a new lookup of their GrantedAuthorities?
is there a timeout value (like a session timeout) for the authenticated user and, if so, is there a corresponding attribute to set on some Spring object?

Thanks for any help out there!
Rich

did u ever get solution for this prob? I'm facing same problem here