I am learning Spring (3.1 specifically). I am writing a sample web project where I don't password protect any internal page just yet; I do allow the users to connect as ANONYMOUS to anywhere. Eventually I will protect the pages with my custom login mechanism- I attach an excerpt from my security file below:
I set a very short session timeout period for testing purposes. What troubles me is even the user is ANONYMOUS, and tries to access an unprotected page, once his session is timed out, Spring redirects his request to invalid-session-url.
<http use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/**" access="hasRole('ROLE_ANONYMOUS')"/>
<form-login login-page="/signin" authentication-failure-handler-ref="customAuthenticationFailureHandler" authentication-success-handler-ref="customAuthenticationSuccessHandler" />
<logout invalidate-session="true" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID" />
<port-mapping http="80" https="8443"/>
Is there a way to change this behaviour? What is the best practice to let Spring redirect the invalid-session's to specified URL only when the user has actually logged-in, and tries to access a protected page...
Thanks in advance.