Currently we are having one problem in one of our application. We have basic authentication enabled in our security layer and session management enabled with the following configuration:

<session-management invalid-session-url="/invalidSession" />

One of our programs post information to our url until the session expires and this is when the SessionManagementFilter kicks in. The session is invalid now and the filter passes control to the redirection strategy which by default is of type DefaultRedirectStrategy and this object executed HttpResponse.redirect to invalid-sessision-url sending a 302 message to the client. But because clients are posting information redirection with 302 after a POST methods must be confirmed by users. What we want is send 303 status codes instead of 302 when this scenario happens so clients automatically follow the Post/Redirect/Get design pattern.

I think I could create a custom filter to handle the session and redirections but I was wondering if there is a way to only change the RedirectStrategy for the SessionManagementFilter using the session-management tag.

We are using Spring-Security 3.0.2

Thank you so much.