If you are using the WAR archive security, and a user is authenticated, how can they be unauthenticated without shutting down their browser.
It depends on how you are implementing security for or within your WAR archive. There is nothing in your servlet spec about a kind of security unique to WAR archives, so you are either dealing with servlet container provided security, or a custom security system.
Unfortunately the servlet 2.2 spec does not mention a way to logout, so you would have to manually logout the user depending on the type of authentication that's happening. For HTTP Basic or HTTP Digest Authentication, your browser reauthenticates every time, and when it succeeds, it remembers the username and password that worked. To log them out, you can return a 401 error with the correct realm and the user's browser will think it suddenly got the username and password wrong. If you are using Form based authentication or your own custom HttpSession-based security, you can end the session by calling session.invalidate().