First, the scheme declaration in the security-config.xml file needs to be updated to refer to 3.1 as follows:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
Second, the property configurations have changed on the SessionManagementFilter. The two marked properties are no longer valid and need to be removed:
<beans:bean id="sessionManagementFilter"
class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<!-- <beans:property name="invalidSessionUrl" value="/auth/sessionExpired.jsf" />-->
<!-- <beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />-->
</beans:bean>
At this point the application works, however, there is a new place for the invalidSessionUrl, session management has it's own attribute now:
<session-management invalid-session-url="/auth/sessionExpired.jsf" />
The tutorial has been updated