When an HttpSession expires, it calls valueUnbound() on all session-bound
variables that implement the HttpSessionBindingListener interface. So this
provides a way for expiring HTTP sessions to remove session beans that would
otherwise stay active and eventually consume all resources and cause the
server to crash.
The reasonable thing to do is to call ejb.remove() (and whatever other
methods) within the valueUnbound() method so that the SB can clean up and be
removed on the event.
HOWEVER, if the SB is protected by security constraints, calling methods on
the SB causes either NullPointerExceptions, or SecurityExceptions.
In my case, I have a HttpSession which has bound an SB, which in turn has a
reference to an EB. When the session expires, I need to remove the SB, which
in turn must call a method on the EB. If I attempt to just call sb.remove(),
the ejbRemove() method is called but a NullPointerException is thrown in the
EB's wrapper. If I call getCallerPrincipal() in the SB first (which returns
me the "guest" user), then call the EB, a SecurityException is thrown.
Ignoring the fact that the different exceptions may be an Orion bug, the
fact still remains that the "guest" user is calling the SB when calling
through the valueUnbound() method.
SO, the question, once again, is: When an HttpSession expires, what's the
proper way to cleanup and remove the EJBs that are bound to that session?
Gerald.
