I'm using Spring Security 3.0.5 with the namespace configuration elements. My "form-login" element looks like this:
This works as expected; if a user tries to access a protected URL (like /admin), they're asked to login first, and after login they are automatically taken to the page they originally requested.
However, if I add the "session-management" element to my configuration file, like this:
the behavior described above breaks. After a user session times out, the user correctly see the login page (with a timeout message because of the included ?timeout parameter). But when they log in from this page, they are no longer taken to the URL they originally requested (like /admin). Instead, they are always sent to the URL specified in default-target-url (in this case, /search). It's as if the always-use-default-target attribute in the form-login element is being ignored, or set to "true."
<session-management invalid-session-url="/login?timeout" />
Is this by design? Or is there something about the session-management element that is causing the "target URL to forward to" to be lost?
Is there any way I can use both the session-management element (to handle timeouts a particular way), and also still make use of the feature that sends users to the page they originally requested after a login?
Thanks for your help...