为什么不试试 Spring Security?

Why don't you try this with Spring Security?

<sec:session-management invalid-session-url="/login">
        <sec:concurrency-control expired-url="/login" />
</sec:session-management>

当用户的会话过期或无效时，这将重定向到/login 页面.

This will redirect to /login page when the user's session is expired or invalid.

参考:http://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html