Home/ Questions/Q 8361789
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T11:46:50+00:00

I’m using Spring Security 3.1 and I’m facing a problem with session time outs.

  • 0

I’m using Spring Security 3.1 and I’m facing a problem with session time outs.
I’ve set session time-out in the web.xml as follows:

<session-config>
    <session-timeout>
        45
    </session-timeout>
</session-config>

So session is supposed to be expired after 45 minutes.
However I’ve noticed that session is expired exactly after 2 minutes! Whether I’m working with application or not.

These are my spring security beans:

<bean id="ConcurrentSessionFilterAdmin" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <property name="sessionRegistry" ref="sessionRegistry"/>
    <property name="logoutHandlers">
        <list>
            <ref bean = "logoutHandler"/>
        </list>
    </property>
    <property name="expiredUrl" value="/admin/login.jsp?error=expiredURL"/>
</bean>
<bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" autowire="byType" />

<bean id="logoutHandler"
    class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</bean>

<bean id="securityContextPersistenceFilter"
    class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
    <property name="securityContextRepository" ref="securityContextRepository"/>
</bean>

<bean id="securityContextRepository"
    class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
    <property name="allowSessionCreation" value="false" />
</bean>
<bean id="logoutFilterAdmin"
    class="org.springframework.security.web.authentication.logout.LogoutFilter">
    <constructor-arg value="/admin/login.jsp" />
    <constructor-arg>
        <list>
            <ref bean="logoutHandler"/>
        </list>
    </constructor-arg>
    <property name="filterProcessesUrl" value="/admin/j_spring_security_logout"></property>
</bean>
<bean id="usernamePasswordAuthenticationFilterAdmin"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="usernameParameter" value="j_username"/>
    <property name="passwordParameter" value="j_password"/>
    <property name="allowSessionCreation" value="false"/>
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationSuccessHandler" ref="authenticationSuccessHandlerAdmin"/>
    <property name="continueChainBeforeSuccessfulAuthentication" value="false"/>
    <property name="filterProcessesUrl" value="/admin/j_spring_security_check"/>
    <property name="sessionAuthenticationStrategy" ref="sessionAuthenticationStrategy"/>
</bean>
<bean id="authenticationFailureHandlerAdmin"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/admin/login.jsp?error=loginfailed" />
</bean>
<bean id="authenticationSuccessHandlerAdmin" 
    class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="requestCache" ref="requestCache"/>
    <property name="defaultTargetUrl" value="/admin/index.html"/>
</bean>

<bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"/>

<bean id="sessionAuthenticationStrategy"
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <property name="maximumSessions" value="1" />
    <property name="migrateSessionAttributes" value="true"/>
</bean>

<bean id="basicAuthenticationFilterAdmin"
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
    <property name="authenticationDetailsSource" ref="authenticationDetailsSource"/>
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>
<bean id="authenticationDetailsSource"
    class="org.springframework.security.authentication.AuthenticationDetailsSourceImpl"/>
<bean id="requestCacheAwareFilter"
    class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">
    <constructor-arg ref="requestCache"/>
</bean>

<bean id="securityContextHolderAwareRequestFilter"
    class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
    <property name="rolePrefix" value="ROLE_"/>
</bean>

<bean id="anonymousAuthenticationFilter"
    class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
    <constructor-arg value="KEY"/>
</bean>

<bean id="sessionManagementFilterAdmin" class="org.springframework.security.web.session.SessionManagementFilter">
    <constructor-arg ref="securityContextRepository"/>
    <constructor-arg ref="sessionAuthenticationStrategy"/> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandlerAdmin"/>
    <property name="invalidSessionStrategy" ref="invalidSessionStrategyAdmin"/>
</bean>
<bean id="invalidSessionStrategyAdmin"
    class="org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy">
    <constructor-arg value="/admin/login.jsp"/>
    <property name="createNewSession" value="false"/>
</bean>
<bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter">     
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <property name="accessDeniedHandler" ref="accessDeniedHandler" />
    <property name="requestCache" ref="requestCache"/>
</bean>
<bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
<bean id="accessDeniedHandler"
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</bean>
 <bean id="filterSecurityInterceptorAdmin"
    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="securityMetadataSource" ref="myFilterInvocationSecurityMetadataSource" />
</bean>
<bean id="myFilterInvocationSecurityMetadataSource" class="com.datx.security.model.MyFilterSecurityMetadataSource" autowire="byName" scope="prototype">
</bean>

After two minutes, I’m redirected to /admin/login.jsp?error=expiredURL which is set in the first bean configuration. (Which means session is expired)

The question is which of these beans are responsible for session expiration? What property haven’t I set that causes this problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Spring Security relies on the underlying container, i.e. it’s the container who manages session timeouts(please add information about the container you’re using). However, I believe that web.xml settings usually should have a bigger priority if the server is Java EE compliant.

    Also individual session timeouts can be tweaked dynamically by calling HttpSession.setMaxInactiveInterval() method, or the session can be invalidated by calling invalidate().

    It’s possible for Spring Security to invalidate session in some cases (for example, after logging in, the user gets a new HttpSession).

    Also session invalidation can be caused by Spring Security concurrent-session control mechanism, for example if the max-sessions value is specified.

    You can check when Spring Security invalidates the session by setting DEBUG logging level for org.springframework.security.* namespace, as Spring typically writes such info to the logger.

    • 0