tomcat - spring-security not invalidating http sessions -

i have soap web service , implemented spring security authentication.

i generated client used in front end.

my problem each time client makes request web-service generates session , session stays there, session never gets invalidated.

here part of web.xml file:

<session-config> <session-timeout>1</session-timeout> </session-config>

what need session should invalidated after each request.

spring security http element has attribute 'create-session' can set 'stateless' after session never created.

e.g.

<http pattern="/restful/**" create-session="stateless">   <intercept-url pattern='/**' access='role_remote' />   <http-basic /> </http> 

documentation here:

• http://static.springsource.org/spring-security/site/docs/3.2.x/reference/security-filter-chain.html