My application uses a custom built LoginModule giving rights for users to stateful EJB's protected by security-roles.
This works fine, but I would like to establish a HttpSessionBindingListener that does some cleanup/remove on the users EJB's on http session timeout.
This obviously has to be done in the same security context as the original - and now disappeared - user.
I tried several different approaches without success.
Does anybody have an idea?
regards/Peter
Why isn't this done on the logout method of the custom login module? You can flush the auth cache on session invalidation to trigger this, or use the jboss-web.xml flushOnSessionInvalidation=true attribute on the security-domain element.