When most people think of the session timeout in an EJB application, they're typically thinking about the HttpSession timeout of their web front ends. If, however, you need to set the authenticated user timeout in JBoss, it's as easy as adding a parameter to your configuration files...

Edit /server//conf/jboss-service.xml, and look for the following section:

<!-- JAAS security manager and realm mapping -->
<mbean 
  code="org.jboss.security.plugins.JaasSecurityManagerService" 
  name="jboss.security:service=JaasSecurityManager">
     <attribute 
       name="SecurityManagerClassName">
          org.jboss.security.plugins.JaasSecurityManager
     </attribute>
</mbean>

To set the default timeout value, simply add an attribute between inside the tag:

<attribute name="DefaultCacheTimeout">VALUE_IN_SECONDS</attribute>

Each time a client accesses an EJB, the timeout value is checked. If it has been at least as long as the value specified since the last time the client accessed an EJB, then the JAAS manager calls the logout() method of the LoginContext. This will subsequently cause a security exception to be thrown, since the user is no longer authorized to make requests to the EJB.