expired user still login and not redirect to loginpage!

[tango]

i want to expire a users first session if loginde for second time.
note that i write custom filter for my login page like as below and every things work truly.
its related part of my definition in my security.xml file.

Code:

    <beans:bean id="myLoginFilter"
                class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="sessionAuthenticationStrategy" ref="sas"/>
        <beans:property name="usernameParameter" value="username"/>
        <beans:property name="passwordParameter" value="password"/>
        <beans:property name="filterProcessesUrl" value="/test"/>
        <beans:property name="authenticationManager" ref="mySimpleAuthenticationManager"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandlerBean"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandlerBean"/>
    </beans:bean>
    <beans:bean id="sas"
                class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
        <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry"/>
        <beans:property name="maximumSessions" value="1"/>
    </beans:bean>
    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

my problem is when i login with user1 and pass 123456 for second time,
first session of this user be expired and expired field of SessionInformation is true
but still can do work in homepage and refresh or do any thing.
is there any way to when expiring users first session, at first request to server redirecting to loginpage?

[skram]

It means the first session is not expired. If it's expired, the user will not be able to do any special functions that are protected by Spring Security. But of course he can still see whatever he is viewing at that moment.

How did you declare your http config?

[tango]

Code:

    <http entry-point-ref="authenticationEntryPoint" use-expressions="true">
        <!--suppress SpringModelInspection -->
        <custom-filter position="FORM_LOGIN_FILTER" ref="myLoginFilter"/>
        <intercept-url pattern="/WEB-INF/pages/login.jsp" access="permitAll"/>
        <intercept-url pattern="/login/failure.html" access="isAnonymous()"/>
        <intercept-url pattern="/index.html" access="permitAll"/>
        <intercept-url pattern="/favicon.ico" access="permitAll"/>
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
    </http>

[Rob Winch]

The ConcurrentSessionControlStrategy has not been added to your filter chain. You can do this by using the custom-filter tag as you have done for your login. Or you can switch from defining it as a bean to using the namespace configuration.