I have a web application where users must login using form-based login. When this happens, an EJB is bound to the new HTTP session. I'd like to call some cleanup methods on the EJB when the HTTP session expires.

I tried to do this by using HttpSessionBindingListener; the valueUnbound() method of a simple wrapper class calls the EJB's methods to do the cleanup.

Unfortunately, the web container calls this valueUnbound() method with the "anonymous" security credential instead of the credential bound to the session itself. Because my EJB has security constraints on it, the method doesn't get called and the cleanup doesn't happen.

The (new) servlet specification does not describe this scenario at all.

What is the proper solution to this?