destroy session upon logging out.Help!

[mmalonzo]

Hi. I am a new user of acegi and i do have question regarding invalidation of session upon logging out. In my application, i only had the line "session.invalidate();" in the action. when i tried getting the authentication object from the context holeder (which i think holds the user's info), after "session.invalidate()", the authentication object is not null.so when the user tries clicking "BACK" button (in the browser), he/she is directed to his/her previously visited page.

I am using the code below to extract the authentication object:
SecureContext sContext=((SecureContext)ContextHolder.getContext( ));
Authentication auth = sContext.getAuthentication();

i had included in the bean filterInvocationInceptor(applicationContext-acegi-secutity.xml) that all my jsp pages would require an authority "ROLE_SOMEROLE", but since i am still getting the user's granted authority (even after logging off), my user is able to navigate back to the previous page.

I am just playing around here.. so i had tried:
HttpSessionIntegrationFilter hsif= new HttpSessionIntegrationFilter();
hsif.destroy();
but still not working. when i try
SecureContext sContext2=((SecureContext)ContextHolder.getContext ());
Authentication auth 2= sContext2.getAuthentication();
again, auth2 returns what my other variable auth returns.

Please help. any will be much appreciated. thanks in advance!

[Ben Alex]

That's a bit odd, and I'd suggest it's related to your filter ordering being incorrect. Check out http://acegisecurity.sourceforge.net...-filters-order. Note 0.8.0 will be released today, so you're probably best off waiting and getting it working with that release (ContextHolder management has changed).