I think this is your issue:
On Jun 2, 2010, at 9:04 AM, glassfish_at_javadesktop.org wrote:
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>file</realm-name>
> </login-config>
Because you're using BASIC authentication, the user credentials are
stored in the browser and will keep being sent to the server when
needed. It's very hard to log someone out when using basic auth.
Instead, consider using form-based authentication.
If you're using a semi-recent build of GF v3, Java EE 6 also allows
you to collect user info and call login() on the http request. Here's
an example:
http://blogs.sun.com/bobby/entry/authentication_without_the_form
Cheers,
Bobby