spring-security not invalidating http sessions
I have a soap web service and i implemented a spring security authentication.
I generated a client which is used in the front end.
My problem is that each time the client makes a request the web-service generates a session and than the session just stays there, session never gets invalidated.
Here is my part of web.xml file:
<session-config> <session-timeout>1</session-timeout> </session-config>
What I need is that the session should get invalidated after each request.
Spring security http element has a attribute 'create-session' which can be set to 'stateless' after which a session will never be created.
<http pattern="/restful/**" create-session="stateless"> <intercept-url pattern='/**' access='ROLE_REMOTE' /> <http-basic /> </http>