Hi,

I'm using JBoss 4.0.3 (tomcat 5.5) and have a class which implements HttpSessionListener. When the sessionDestroyed(..) method is invoked (when the session has times out) I'm not able to call any business logic (Session Beans which is security enabled). I'm getting an error (security exception) which says that the Principlal is null, hence the method cannot be executed.

That was not what I expected. The behaviour regarding sessionDestroyed(..) has been changed in the servlet spec.
In servlet spec. < 2.4 it says:
sessionDestroyed - "Notification that a session was invalidated".
In 2.4 this has changed to: "Notification that a session is about to be invalidated".

Why is the Principal reference null during this method?

/Johan