Hard lesson learnt, playing with JAAS & Tomcat.
When using basic authentication:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
it is NOT possible to log out programatically. You have to close the browser.
session.invalidate() will do NOTHING!!
I'm not missing anything. It's just not possible. The browser keeps the credentials in memory, and keeps re-submitting it. So calling invalidate serves no purpose, as the very next thing you try, will just end up with you being logged in again.