Sam Sam - 8 months ago 26
Java Question

How to get session time out message using Spring security

I want to get the session time out message when the session expires.Below is my spring-security.xml

<http auto-config="true" use-expressions="true">
<logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />

According to my knowledge using above code when the session expired it should redirect to
/?timeout=true OR /Timeout?timeout=true
. And on logout it should go to
. But in my case on logout also its redirecting to
so I am always getting timeout true for both normal logout and session timeout.

Please help me to differentiate this.


request contains

session = request.getSession();
session = null;

Sam Sam

I Solved it! by writing a filter instead depending on Spring-security.

If any one is interested can use the below code :-

import java.text.MessageFormat;

import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;

public class HandleExceptionAttribute extends OncePerRequestFilter {

    public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
        try {
            if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
                if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
                    response.sendRedirect(URL);     //After login page
            } else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
                response.sendRedirect(request.getContextPath()+"/?timeout=true");   //If timeout is true send session timeout error message to JSP
            filterChain.doFilter(request, response);
        } catch (Exception e) {
            //Log Exception


Add this filter in web.xml.

So now session also invalidates and I can handle the session timeout too.