1 Reply Latest reply on Jul 30, 2005 12:49 PM by Scott Stark

    Saved Subject

    Peter Buus Newbie

      My application uses a custom built LoginModule giving rights for users to stateful EJB's protected by security-roles.
      This works fine, but I would like to establish a HttpSessionBindingListener that does some cleanup/remove on the users EJB's on http session timeout.
      This obviously has to be done in the same security context as the original - and now disappeared - user.
      I tried several different approaches without success.
      Does anybody have an idea?

      regards/Peter

        • 1. Re: Saved Subject
          Scott Stark Master

          Why isn't this done on the logout method of the custom login module? You can flush the auth cache on session invalidation to trigger this, or use the jboss-web.xml flushOnSessionInvalidation=true attribute on the security-domain element.