Currently, when the SecurityFilter runs, it sets a User object on the application's AuthenticationContext, which is a ThreadLocal.

However, when you call DefaultAuthenticator.logout(), this object is not cleared. Is there a good reason for this? Because currently, Confluence does this manually in their logout code, and JIRA doesn't, which has caused a bug to occur in an edge case. It would probably be better design for seraph to handle the clearing of this object.