I can logout user after defined time of inactivity.
<session-timeout>240</session-timeout>
But, is there some way to logout in specified time, or better, for example until 5 minutes of inactivity after specified time.?
You can change the session timeout by HttpSession#setMaxInactiveInterval() wherein you can specify the desired timeout in seconds.
When you want to cover a broad range of requests for this, e.g. all pages in folder /admin or something, then the best place to do this is to create a Filter which is mapped on the FacesServlet which does roughly the following job:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpSession session = request.getSession();
if (request.getRequestURI().startsWith("/admin/")) {
session.setMaxInactiveInterval(60 * 5); // 5 minutes.
} else {
session.setMaxInactiveInterval(60 * 240); // 240 minutes.
}
chain.doFilter(req, res);
}
In a JSF managed bean the session is available by ExternalContext#getSession():
HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession();
// ...
Or when you're already on JSF 2.1, then you can also use the new ExternalContext#setSessionMaxInactiveInterval() which delegates to exactly that method.