My Geronimo instance exposes several servlets that provide processing of requests. I've implemented a custom LoginModule, and my geronimo-application.xml is configured to require presentation of credentials in order to access the servlets. All of this seems ok.
Some of the clients of my services do not process the JSESSIONID in the service response. So each request from one of these causes a new JaasSecuritySession to be created, and stored in the "activeLogins" member Map of JaasLoginService. My observation in running JProfiler 4.1.3 is that my LoginModule instances are not being cleaned up, due to each being held as a member of a child object of JaasSecuritySession. It is not clear how I can cause the "activeLogins" map to be cleaned up. I can see that there is an instance of ExpirationMonitor running periodically. However, I do not want to change DEFAULT_MAX_LOGIN_DURATION (one day), as this is a container-wide setting. One idea I had was to manually expire the session at the end of the servlet invocation. HttpSession.invalidate() seems to expire the Tomcat session, but not the security session. Any suggestions for cleaning up these security sessions would be appreciated.
