May be I haven't paid attention to this, but I could not find a consistent way of logout in the Acegi Security System.
I know what needs to be done at the time of logout (setting Context.setAuthentication(null), remove the ACEGI context from HttpSession) etc but I think it should be the part of common code that everyone can use rather than everyone write their own code.
May be AuthenticationManager should have logout method in addition to authenticate that does this cleanup or somewhere else in any helper classes. Infact, it should have 2 methods logout() and logout(HttpServletRequest), so that appropriate methods could be called by the user depending upon how the Acegi is being used.
In our application, we had to provide a consistent way to be used from both web and non-web based application. So, I had to introduce another class (called LoginManager) to have both authenticate and logout methods for both web and non-web clients. Methods that have HttpServletRequest parameter do the same as other method with this param but extra stuff that do specific to the web. For example, in case of authenticate, it also set the webAuthenticationDetails, in case of logout, method with request do cleanup from the session also.
These are just my observations and the way I create wrapper against the Acegi authentication...
What do you think? Do you think, is this something worth integrating to Acegi?