You can either set the session timeout (say 60 minutes) for all sessions in web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
or on a per-session basis using
session.setMaxInactiveInterval(60*60);
the latter you might want to do in a authorizationSuccessHandler.
<form-login authentication-success-handler-ref="authenticationSuccessHandler"/>