--- java/org/apache/catalina/authenticator/AuthenticatorBase.java	(revision 1770568)
+++ java/org/apache/catalina/authenticator/AuthenticatorBase.java	(working copy)
@@ -48,6 +48,7 @@ 
 import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
+import org.apache.catalina.TomcatPrincipal;
 import org.apache.catalina.Valve;
 import org.apache.catalina.Wrapper;
 import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
@@ -1107,6 +1108,15 @@ 
             }
         }
 
+        Principal p = request.getPrincipal();
+        if (p instanceof TomcatPrincipal) {
+            try {
+                ((TomcatPrincipal) p).logout();
+            } catch (Exception e) {
+                log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), e);
+            }
+        }
+
         register(request, request.getResponse(), null, null, null, null);
     }
 
--- java/org/apache/catalina/authenticator/LocalStrings.properties	(revision 1770568)
+++ java/org/apache/catalina/authenticator/LocalStrings.properties	(working copy)
@@ -30,6 +30,7 @@ 
 authenticator.requestBodyTooBig=The request body was too large to be cached during the authentication process
 authenticator.sessionExpired=The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser
 authenticator.unauthorized=Cannot authenticate with the provided credentials
+authenticator.tomcatPrincipalLogoutFail=Logout with TomcatPrincipal instance has failed
 
 digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.