My application uses a custom built LoginModule giving rights for users to stateful EJB's protected by security-roles.
This works fine, but I would like to establish a HttpSessionBindingListener that does some cleanup/remove on the users EJB's on http session timeout.
This obviously has to be done in the same security context as the original - and now disappeared - user.
I tried several different approaches without success.
Does anybody have an idea?
Why isn't this done on the logout method of the custom login module? You can flush the auth cache on session invalidation to trigger this, or use the jboss-web.xml flushOnSessionInvalidation=true attribute on the security-domain element.