This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
I'm using Tomcat's out-of-the-box authentication and as such I define a login-config and form-login-page in my web.xml. Is there a way to configure which page a user is redirected to when a session expires? By default, its the form-login-page, however I would like to inform the user that the session has expired.
Tomcat doesn't "point" to a login page. You cannot invoke the login page via a URL request of that page (the page will display, but the login logic isn't attached to it).
One of the most common ways to defeat Do-It-Yourself security systems is to issue a direct URL request for something that honest people would only be accessing after logging in. J2EE container-managed security frustrates that exploit by automatically intercepting any URL request that accesses a protected URL.
The protected request isn't discarded, however. Once the user has logged in, the original request continues with no knowledge that a login had just occurred or that a login page had ever been displayed.
You cannot display a "you're about to timeout" webpage, since HTTP doesn't allow unsolicited sending of data. You cannot display a "session timed out" page because that's not how security is handled, as explained above. You might be able to put a message on the login page, but I'm not really sure.
An IDE is no substitute for an Intelligent Developer.