There are several approaches for this. first you can use spring security auto config in your applicationContext.xml by setting login-page it will automatically redirect not logged-in users reaching secured routes (like /userReged/**) to that certain login-page :

<security:http auto-config="true">
    <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/userReged/**" access="ROLE_USER"/>
    <security:form-login
            login-page="/"
            default-target-url="/somePage"
            authentication-failure-url="/user/logfailed?error"
            username-parameter="userName"
            password-parameter="userPassword" />
    <security:logout
            logout-success-url="/?logout"/>
</security:http>

one other way is to check user being logged-in in your controller manually in specific route :

@RequestMapping("/somePage")
public String getSomePage(Model model, HttpServletRequest request) {

    Principal principal = request.getUserPrincipal();
    if (principal != null) {

        User activeUser = userService.getUserByPhone(principal.getName());
        // ...

    } else { // user is not authenticated
        System.out.println("user is not authenticated to proceed the somePage!!!!!!!");
        return "redirect:/";
    }
}

In order to set timeout for spring security you can put this in your web.xml :

<session-config>
    <session-timeout>
        1440
        <!--mins-->
    </session-timeout>
</session-config>

now if you want to redirect clients on exact timeout you can refresh the page automatically in client side in some intervals.