As Dominic noted, the server cannot stop a client from caching and resending a BASIC auth authenticator on subeqent requests to the server.
That said, it is also true that by invalidating the session (or calling logout), a server-side application can make it so the authentication results that were held in the session will not be applied when a request is made to an unprotected resource of the App.
After the session is invalidated or logout is called, the client will continue to send the BASIC auth authenticator, but it will only be processed by the server, when the request is to a protected reource.
If an HTTPSession is defined when a BASIC authenticator is being processed/authenticated, the result of the authentication will be captured in the session and applied to all subsequent requests, independent of whether they are protected
[Message sent by forum member 'monzillo']
http://forums.java.net/jive/thread.jspa?messageID=393147