I am using JDBCRealm to do authentication and authorization in my web app. In regard to authentication, I am using FORM with j_security_check service. I have configured everything including a HTTP Status 403 error page where the user is going to be redirected if he/she does not have the required permissions to access a resource. Up to this far, everything is working fine. The problem comes in when a HTTP Status 403 error is returned. It seems to me that despite the user not having been authorized, a JSF session is still created for this user as long as he/she has been successfully authenticated. Now when I try going back to the login page and enter the password and username of a user who has permission to access the resource, it fails to authorize because authorization is still being applied to the user holding the current session who apparently does not have the required permission. Now what I need to know is how to destroy or invalidate such a session created when a HTTP Status 403 is returned. thanks
UPDATE: I think its important to mention that when the session is timed out, I am now able to login user who has the required permissions. just a tip...