how to clear user principals after logout?

The case is easy: user clicks logout, goes to LogoutFilter and:

    HttpServletRequest hreq = (HttpServletReques开发者_如何学Ct) request;
    hreq.getSession(false).invalidate();

    HttpServletResponse httpResponse = (HttpServletResponse) response;

    httpResponse.reset();

    httpResponse.setHeader("Cache-Control", "no-cache");
    httpResponse.setHeader("Pragma", "no-cache");
    httpResponse.setHeader("Cache-Control", "no-store");
    httpResponse.setHeader("Cache-Control", "must-revalidate");
    httpResponse.setDateHeader("Expires", 0);

    chain.doFilter(request, response);

And on page login link is shown. The problem is easy: session recreated, but user principals are chached, so no login popup is shown and application uses cached principals, because request.getUserPrincipals() returns not null object.

The question is simple: is there any way to remove user principals too, so browser asks to log in again after logout?

Instead of just clearing the cache on logout, have a filter for your application that always sets those meta values to the response, for every request to a page in your application. This way, none of your pages will be cached. Clear your browser cache and try again. Does that fix anything?

When the user logs out I would consider redirecting them (using a 302 redirect) to a 'logged out' page after you've invalidated their session. That 'hopefully' will stop the request.getUserPrincipals() from returning anything.

BTW, the cache work that you're doing does nothing to your web applications cache. What you're specifiying there is how web clients and web proxies should consider caching that particual request. So, those values are used after the request leaves your server and goes out 'into the wild'.