After use it first time in an project ,I found it so goodt!My project use struts+tiles+spring+acegi security+hibernate.
The below feature  make much effect in my project:

1.when logout and then click 'back' button in the IE Toolbars  to the last page which will be expired and auto redirect to appointed URL.
2.if client login the system but do nothing too long ,the session will be detected and expired!but as far I don't know how did the Acegi Security implements this.(this feature is seems in spring or tomcat,after set the sessionRegistor in Acegi Security ,it is not validate)
3.Acegi Security can control How the same username can logined in different ip!e.g. the same username can login many from ip or just can only login once.for single login,there are two case:the next login will be forbided ; the next login is permited and the first login auto out fo session.it is depend on the
security level!

one thing not resolved is that if there are two different user sign in on the same mache,the prev-user will auto session expired.How to achieve this?

after set property "sessionController",below is the variety:
1.auto login; if there is one user sign ,and then open a new IE to address a url need auth ,the url will redirect to the loginfromurl.but befor set this property, the url will open a page with the signed user.
2.if there is a url needed auth on the IE address(this may be left by last login and not logout),after server restar,the
url will redirect to the loginfromurl.before this url will continuate with last authed user.
3.session will not auto expire after long time idlesse.