spring security - expiredUrl not working

Question

I need to configure expired-url in my Spring MVC application. Here is my effort, but has no effect:

@Override
protected void configure(HttpSecurity          


        

Answer 1

Ideally your UX should simply redirect your user back to the login page. I guess you see the requirement of having a dedicated /expired page because of Spring MVC - change security settings dynamically where you informed about your need of having separate login masks. If the workaround (the one that I described in my answer on your other question) works for you, you could maybe drop your requirement of having a dedicated /expired page and redirect the user to the correct login page directly using teh solution approach number (2). How about that?

Nevertheless, to answer your current question... I'm not sure if it works but give it a try and change your code

        //...
        .sessionManagement()
        .maximumSessions(1)
        .expiredUrl("/expired");
    }

to

        //...
        .sessionManagement().sessionFixation().newSession().maximumSessions(1)
        .expiredUrl("/expired")
        .sessionRegistry(sessionRegistry());
    }

    @Bean
    public SessionRegistry sessionRegistry() {
        SessionRegistry sessionRegistry = new SessionRegistryImpl();
        return sessionRegistry;
    }

In case it doesn't work, could you then post the code of your customLogoutHandler() and customLogoutSuccessHandler()? You are using Spring MVC outside of Spring Boot, correct?