I have a JAASRealm that I'm using with some legacy authentication/authorization code that requires the session id. In tomcat the JAAS Login Module does not have access to the HTTPSession. A new session is created after the Login Module commits (so using a valve to access the session does not work). I am trying to use a HttpSessionListener with the JAAS Login Module, but the sessionCreated, and sessionDestroyed methods are never triggered. Is that intentional? Are there other ways a session could be created without triggering the HttpSessionListener? Thank you in advance for any constructive help, pointers or advice. S