As per Jed's comment on SER-110:
If there is still a Session (with the logged out user mapping) the DefaultAuthenticator aborts and returns a null user. BasicAuthentication requests are thus subverted.
As per Jed's comment on SER-110:
If there is still a Session (with the logged out user mapping) the DefaultAuthenticator aborts and returns a null user. BasicAuthentication requests are thus subverted.