Need comment on Issue #174 ASAP
Can you have a look at #174, and let me know what you think ASAP?
To summarize, I think the RememberMeInterceptor must call invocationContext.proceed(), to delegate to the other interceptors/underlying HAM, when intercepting cleanSubject().
The spec says only that it must call rememberMeIdentityStore.removeLoginToken(), which is indeed necessary, but not sufficient -- the Subject is never cleaned.
I'm preparing a commit to implement this in Soteria, but would appreciate your review, as this is a significant behavior change in an area the spec is silent on.
-- Will Hopkins | WebLogic Security Architect | +1.781.442.0310 Oracle Developer Experience 35 Network Drive, Burlington, MA 01803