Looking at this issue again, I think it may not be exactly what I'm looking for, and that is a for the user login session to expired automatically after no user activity within the timeframe as specified in the session-timeout setting in web.xml. What I've noticed in my application is that user session never expired, and so even after walking away from the computer for days, the user can still access the application without being asked to signin again. This pose a serious security issue for me.
Granted that in my application, the users can always signout by clicking on the signout link (which basically calls Session#invalidate() to invalidate the session), that is available on top of every page, after sigining, but that is something that the users should have to do in my opinion.
For sometime, I thought I must have done something wrong in my code, that may have caused the user session to be invalidated automatically. But many days of searching on the internet and looking through all the examples and books that I have, I couldn't find clue as to what I may have done wrong.
I hope you can prove me wrong.