Spring Boot / REST Ajax app - avoid having to login many times during the day

Question

I have built a single page web application using AngularJS and Spring Boot, based on the x-auth-security example code.

This all works quite fine, however, users are complaining that they need to re-logon many times during the day. I am not very well versed in Spring Security and such, but I guess the reason for this is that the authentication token is created with a 1 hour expiry. See https://github.com/joshlong/boot-examples/blob/master/x-auth-security/src/main/java/demo/xauth/TokenUtils.java:

public String createToken(UserDetails userDetails) {
    long expires = System.currentTimeMillis() + 1000L * 60 * 60;
    return userDetails.getUsername() + ":" + expires + ":" + computeSignature(userDetails, expires);
}

Is it a good idea to extend this expires to 24 hours for example? Or would I need to change something in the Spring Security configuration:

@EnableWebMvcSecurity
@EnableWebSecurity
@Configuration
@Profile("security")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{

...

@Override
    protected void configure( HttpSecurity http ) throws Exception
    {
        http.csrf().disable();
        http.sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );

        http.authorizeRequests()
                .antMatchers( "/api/datasheets/*/documents/*/download" ).anonymous() // Workaround to allow download of the files again. This is insecure. Hopefully I get an answer soon: http://stackoverflow.com/questions/23413701/download-a-file-that-needs-authentication-token
                .antMatchers( "/api/**" ).hasRole( "READONLY" );

        SecurityConfigurer<DefaultSecurityFilterChain, HttpSecurity> securityConfigurer = new XAuthTokenConfigurer( userDetailsServiceBean() );
        http.apply( securityConfigurer );
    }

    @Override
    protected void configure( AuthenticationManagerBuilder auth ) throws Exception
    {
        auth.userDetailsService( new LocalUserDetailsService() )
                .and().ldapAuthentication()
                .contextSource( contextSource() )
                .ldapAuthoritiesPopulator( authoritiesPopulator() )
                .userSearchFilter( LDAP_USER_FILTER )
                .userDnPatterns( "OU=local,OU=Users" )
                .groupSearchBase( "OU=Security Groups" );
    }

Answer 1

I guess it's up to you whether you think tokens that last 24 hours are safe (some people do, others prefer a short lived token and a refresh mechanism, like in OAuth2). There's nothing else to change if you are happy with that level of risk.