Help: Disabling the SessionExpiredNotification

I am trying to disable the session notification as we use spring-security which embeds the login.html into our session expired notification frame (yuk).

We are using
Vaadin 6.8.0

I have the following defined in our

   * - Disabling the session timeout notification, this causes a redirect on timeout (reload).
   * @return the {@link CustomizedSystemMessages}
  public static CustomizedSystemMessages getSystemMessages() {
    CustomizedSystemMessages customMessages = new CustomizedSystemMessages();
    // Ideally disable the notification all-together
    // Set both caption and message to null so that it redirects immediately
    // Use current address
    return customMessages;

   * {@inheritDoc}
  public void onRequestStart(HttpServletRequest request, HttpServletResponse response) {
    System.out.println("Max interval: " + request.getSession().getMaxInactiveInterval());
    System.out.println("caption: " + getSystemMessages().getSessionExpiredCaption());
    System.out.println("message: " + getSystemMessages().getSessionExpiredMessage());
    System.out.println("url: " + getSystemMessages().getSessionExpiredURL());
    System.out.println("enabled?: " + getSystemMessages().isSessionExpiredNotificationEnabled());

Gives the following output when run:

Max interval: 60
caption: null
message: null
url: null
enabled?: false

Javadoc for CustomizedSystemMessages

My problem is that, despite all of the above settings and output the session notification dialog continues to be displayed at runtime with the default values (including injected spring login page).

This appears to be occurrng because the AbstractApplicationServlet handleServiceSessionExpired(…) (default scope) method fails to apply the rules promised by the SystemMessage abstraction.

In the else statement on line 1130 it immediately invalidates the session and then shows a critical notification.

According to the SystemMessages abstraction it should actually perform a redirect since I have done everything required to disable the session notification.

I’m not sure where to go from here as handleServiceSessionExpired is package protected so I cannot override it . If at all possible I would like to avoid the need to download/customize and build Vaadin to remove the offending code; any ideas?

For anyone interested in the outcome I used SessionGuard (addon) with keepalive mode enabled. had related information.