Spring Security Redirecting to invalid-session-url on a fresh application launch

Question

I have just configured session management into my web app, but Spring keeps redirecting to the invalid-session-url specified in the session management. When the contextPath is been launched in the browser before me attempting login and session expiring.

This is my configuration below:

 <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<http auto-config="true" use-expressions="true">
            <intercept-url pattern="/login*" access="permitAll" />
            <intercept-url pattern="/styles/calvary.css" access="permitAll" />
            <intercept-url pattern="/styles/vendor/foundation.min.css" access="permitAll" />
            <intercept-url pattern="/styles/vendor/normalize.css" access="permitAll" />
            <intercept-url pattern="/styles/fonts/gothic.eot" access="permitAll" />
            <intercept-url pattern="/styles/fonts/gothic.woff" access="permitAll" />
            <intercept-url pattern="/styles/fonts/gothic.ttf" access="permitAll" />
            <intercept-url pattern="/scripts/vendor/vendor/modernizr.js" access="permitAll" />
            <intercept-url pattern="/scripts/vendor/vendor/jquery.js" access="permitAll" />
            <intercept-url pattern="/scripts/vendor/foundation/foundation.min.js" access="permitAll" />
            <intercept-url pattern="/scripts/vendor/foundation/foundation.abide.js" access="permitAll" />
            <intercept-url pattern="/scripts/calvary.js" access="permitAll" />
            <intercept-url pattern="/images/lg.png" access="permitAll" />
            <intercept-url pattern="/images/red_indicator.gif" access="permitAll" />
            <intercept-url pattern="/**" access="isAuthenticated()" />
            <form-login login-page="/login" default-target-url="/index"  authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" />
            <logout  logout-success-url="/login?logout" invalidate-session="false" delete-cookies="JSESSIONID"/>
            <csrf/>
            <session-management  session-authentication-error-url="/login?expire=3" invalid-session-url="/login?expire=3" session-fixation-protection="migrateSession">
                <concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login?expire"/>
            </session-management>
            
    </http>
    
    
    <authentication-manager>
        <authentication-provider ref="calvaryLogger"/>
    </authentication-manager>
    <beans:bean name="calvaryLogger" class="com.apr.authenticator.CalvaryLogger" /> 
</beans:beans>

I will really appreciate any assistance. Thanks

EDIT

Below is my web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">

<servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
    <session-timeout>1</session-timeout>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
    <welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext.xml
        /WEB-INF/spring-security.xml
    </param-value>
</context-param>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
 <listener>
    <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
        <error-page>
       <error-code>404</error-code>
       <location>/WEB-INF/viewList/404.html</location>
      </error-page>
   </web-app>

Answer 1

I know this was asked quite some time ago, but this happened to me recently.

Once the user logs out and logs back in, Spring security seems to see my session as invalid and always directs me to whatever invalid-session-url is set to.

what I just did was remove this setting from my xml and the issue went away.

So instead of:

<session-management  session-authentication-error-url="/login?expire=3" invalid-session-url="/login?expire=3" session-fixation-protection="migrateSession">
            <concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login?expire"/>
</session-management>

Try:

<session-management  session-authentication-error-url="/login?expire=3" session-fixation-protection="migrateSession">
            <concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login?expire"/>
</session-management>