I know we can set session timeout in web.xml. But it seems when you click on the app after session times out, it doesn't automatically take you back to the login page. Is it normal ? What's the expected behave when you click on the app after the time has exceeded the max timeout you set in web.xml ?
If you are using J2EE standard security, you define which URL patterns you want secured in the security section of web.xml. Unless you attempt to submit one of those protected URLs, the security system will not care - it will happily allow the unsecured URL to be processed.
On the other hand, if you are NOT logged in - whether because you were not previously logged in OR because your session timed out, THEN the server will intercept the request, put it on hold and present the login page or dialog. Only after you have logged in will it then pull the original request off hold and proceed to process it as though you hadn't been briefly distracted.
This mechanism means 2 things: 1) that protected URLs are always protected and you can't hack around them by doing bypasses or playing with timeouts. 2) Since J2EE has no concept of a master entry point, you can bookmark secured pages and jump straight to them (allowing for the login process). Less flexible systems don't allow bookmarking, so users have to slog through stuff that they may not want to endure before they can get to their favorite pages.
When it comes to destroying a civilization, gas chambers cannot hold a candle to echo chambers.