Wildfly 9 session expired but no authentication unless browser closed

Question

I have set up a custom security-domain in Wildfly 9.0.2.Final for testing which looks like this:

<security-domain name="LDAPAuth" cache-type="default">
<authentication>
  <login-module code="LdapExtended" flag="required">
    <module-option name="java.naming.factory.initial"
                   value="com.sun.jndi.ldap.LdapCtxFactory"/>
    <module-option name="java.naming.provider.url"
                   value="ldap://localhost:389"/>
    <module-option name="java.naming.security.authentication" value="simple"/>
    <module-option name="baseCtxDN" value="ou=People,dc=acme,dc=com"/>
    <module-option name="baseFilter" value="(uid={0})"/>
    <module-option name="rolesCtxDN" value="ou=Roles,dc=acme,dc=com"/>
    <module-option name="roleFilter" value="(member={1})"/>
    <module-option name="roleAttributeID" value="cn"/>
    <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
  </login-module>
</authentication>
</security-domain>

In my web.xml I have referenced this security-domain name (LDAPAuth) in my login-config.

When I provide valid username and password configured in my local LDAP, I am allowed in, otherwise authentication fails. This works great. The problem is, once I've authenticated once, I'm never prompted again unless I close that browser window and open a new one. It doesn't matter if I manually call session.invalidate(); in my code, if the session just naturally expires (I have it set to 1 minute for testing), or even if I restart the server! I'm new to Wildfly but my experience working with other apps servers tells me that I should be re-prompted in any of the above scenarios, so what am I missing?

Answer 1

Probably you have BASIC authentication method configured in your web.xml. It means your browser keeps (remembers) the authentication data and sends them when application server ask for them. So it doesn't ask again the user. Use FORM authentication to avoid this behavior.