I'm using Spring Security to authenticate user in my web platform developed with Spring. I would like to manage session timeout errors through redirect on login page but I can't find anything about default timeout, so I found
http.sessionManagement()
.maximumSessions(1).expiredUrl("/login.html")
.invalidSessionUrl("/login.html");
but I read also about
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class SessionListener implements HttpSessionListener {
@Override
public void sessionCreated(HttpSessionEvent event) {
System.out.println("==== Session is created ====");
event.getSession().setMaxInactiveInterval(5*60);
}
@Override
public void sessionDestroyed(HttpSessionEvent event) {
System.out.println("==== Session is destroyed ====");
}
}
so, since it is a delicate task I'd need an advice: with event.getSession().setMaxInactiveInterval(5*60); i can set timeout and with expiredUrl("/login.html") I can catch errors about expired session and redirect to login page?Is it correct? Thanks
UPDATE: I tryed with this code (my old code plus invalidSessionUrl and expiredUrl) but it always goes on the invalidSession.html page and then I have to return to main page. Further logout goes on login page and not on login?logout page
http
.authorizeRequests() //Authorize Request Configuration
.anyRequest().hasAnyRole(rolesArray)//.authenticated()
.and() //Login Form configuration for all others
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/403")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.sessionManagement().invalidSessionUrl("/invalidSession.html").maximumSessions(1).expiredUrl("/sessionExpired.html");
