Home/ Questions/Q 7411829
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T06:26:52+00:00

I currently have a web application that is utilizing Spring Security hosted on a

  • 0

I currently have a web application that is utilizing Spring Security hosted on a JBoss 5 server.

My issue is that if a user is idle for a few minutes then their session times out due to web.xml setting. Once in a while they when try to hit the webapp when their session is invalid they get a 404 error. The only way the browser can see the web app is when the user clears their browser cache.

Is there a way a fix for this so that the user doesn’t have to clear out their browser cache?

Here is my spring security xml

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/login" access="permitAll" />
    <security:intercept-url pattern="/resources/**" access="permitAll" />
    <security:intercept-url pattern="/import/trades" access="permitAll" />
    <!-- 
        The roles are prefix with the word ROLE 
        and it is upper case due to ldapAuthoritiesPopulator config section 
    -->
    <security:intercept-url pattern="/**" access="hasAnyRole('ROLE_NBFIEPN_USERS', 'ROLE_NBFIEPN_DEVELOPERS')" />        

    <security:form-login login-page="/login" authentication-failure-url="/login?error=true"/>

    <security:logout />
</security:http>

Here’s my web.xml file. I have currently set the session timeout to 1 minute to replicate the issue.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
                        http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

    <display-name>TBA Web Application</display-name>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring/security-config.xml
        </param-value>
    </context-param>
    <servlet>
        <servlet-name>horizon</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
                /WEB-INF/spring/applicationContext.xml
                /WEB-INF/spring/applicationContext-service.xml
                /WEB-INF/spring/mvc-config.xml
            </param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>horizon</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <!-- Session Timeout in minutes -->  
    <session-config> 
        <session-timeout>1</session-timeout> 
    </session-config>

</web-app>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Add this configuration to your spring security configuration

    <security:http...>
   ...
  <security:session-management invalid-session-url="/login"/>
</security:http>

    Desription for invalid-session-url parameter:

    The URL to which a user will be redirected if they submit an invalid session indentifier. Typically used to detect session timeouts.

    It should guid the user with an invalid session to the login page.

    • 0