new session work

spring-security-mvc-session/src/main/java/org/baeldung/spring/MvcConfig.java

@@ -27,6 +27,8 @@ public class MvcConfig extends WebMvcConfigurerAdapter {
 
         registry.addViewController("/login.html");
         registry.addViewController("/homepage.html");
+        registry.addViewController("/sessionExpired.html");
+        registry.addViewController("/invalidExpired.html");
         registry.addViewController("/console.html");
     }
 

spring-security-mvc-session/src/main/resources/webSecurityConfig.xml

@@ -6,7 +6,7 @@
 		http://www.springframework.org/schema/beans 
         http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
 
-    <http use-expressions="true">
+    <http create-session="always" use-expressions="true">
         <intercept-url pattern="/anonymous*" access="isAnonymous()" />
         <intercept-url pattern="/login*" access="permitAll" />
         <intercept-url pattern="/**" access="isAuthenticated()" />
@@ -14,9 +14,13 @@
         <form-login login-page='/login.html' authentication-success-handler-ref="myAuthenticationSuccessHandler" authentication-failure-url="/login.html?error=true" />
 
         <logout delete-cookies="JSESSIONID" />
-		
-		<remember-me key="uniqueAndSecret" token-validity-seconds="86400"/>
-		
+
+        <remember-me key="uniqueAndSecret" token-validity-seconds="86400" />
+
+        <session-management>
+            <concurrency-control max-sessions="2" />
+        </session-management>
+
     </http>
 
     <beans:bean id="myAuthenticationSuccessHandler" class="org.baeldung.security.MySimpleUrlAuthenticationSuccessHandler" />

spring-security-mvc-session/src/main/webapp/WEB-INF/web.xml

@@ -12,6 +12,9 @@
     <listener>
         <listener-class>org.baeldung.web.SessionListenerWithMetrics</listener-class>
     </listener>
+    <listener>
+        <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
+    </listener>
 
     <!-- Spring root -->
     <context-param>