Hi, I checked the FAQ but couldn't find anything to solve my problem. I am using JBoss 4.0.3 with Java 1.5_06 and am developing a web-application frontend with struts for a fully implemented EJB application layer running on JBOSS. I have a lot of experience writing stand-alone Tomcat applications but virtually no experience with EJBs and JBoss. Anyway heres the problem: I implemented an HttpSessionListener that does certain final cleaning-up jobs just before the http-session is about to expire/invalidate. When the user logs off by clicking the logoff button in the frontend, session.invalidate() is called, the public void sessionDestroyed(HttpSessionEvent event) method in my SessionListener class is executed as expected and everything is fine. In the "sessionDestroyed" method I access a cleanup(int id) method that I call from the remoteInterface provided by the application-layer. However if the user doesn't actively log off but waits for his http-session to expire by timeout, I get the following exception when the sessionDestroyed() method in the SessionListener class tries to do its work: java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=AppLayerEJB, method=cleanup, interface=REMOTE, requiredRoles=[superuser, basicuser], principalRoles=[] | at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:258) | at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:143) | at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192) | at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122) | at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624) | at org.jboss.ejb.Container.invoke(Container.java:873) | at sun.reflect.GeneratedMethodAccessor98.invoke(Unknown Source) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) | at java.lang.reflect.Method.invoke(Unknown Source) | at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141) | at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80) | at org.jboss.mx.server.Invocation.invoke(Invocation.java:72) | at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245) | at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644) | at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155) | at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104) | at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:179) | at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:165) | at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46) | at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55) | at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:97) | at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86) What really puzzles me is that this only works from the SessionListener when the user logs-off normally but not at session-timeout. The application layer seems to "forget" the user even though the HttpSession is still existent and the id passed to cleanup(int id) can be accessed and is existent. please help. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4120464#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...