I am using Spring Security 3 in my JSF2 web application.
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
So, when the session has expired and the user clicks on any link, he is redirected to the login page. On this page, I check the error parameter and show the user a message that the session has expired.
But I have 2 problems:
(1) When I launch the application for the first time (it tries to show the home page), I am redirected to the login page and the session has expired. I think this can happen because the first time you start the application, the session is new, and Spring Security may โthinkโ that it has expired (does not distinguish between betwen of the new session and timeout).
(2) If the session has expired for anonymous users (not yet authenticated), I am also redirected to the timeout of the login page. I do not want this behavior for non-authenticated users, I just want to check timeouts for authenticated users.
How can I solve both of these problems?
Thanks in advance.
source
share