Currently we store the session resources (including DrillClient) in attribute SessionAuthentication object which implements HttpSessionBindingListener. Whenever a session is invalidated, all attributes are removed and if an attribute class implements HttpSessionBindingListener, listener is informed. SessionAuthentication implementation of HttpSessionBindingListener logs out the user which includes cleaning up the resources as well, but SessionAuthentication relies on ServletContext stored in thread local variable (see here). In case of thread that cleans up the expired sessions there is no ServletContext in thread local variable, leading to not logging out the user properly and resource leak.
Fix: Add HttpSessionEventListener to cleanup the SessionAuthentication and resources every time a HttpSession is expired or invalidated.