diff --git a/src/main/java/cokr/xit/base/boot/SecurityConfig.java b/src/main/java/cokr/xit/base/boot/SecurityConfig.java
index ac8a040..cfa8183 100644
--- a/src/main/java/cokr/xit/base/boot/SecurityConfig.java
+++ b/src/main/java/cokr/xit/base/boot/SecurityConfig.java
@@ -3,6 +3,7 @@ package cokr.xit.base.boot;
 import javax.annotation.Resource;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.ProviderManager;
@@ -10,6 +11,8 @@ import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
@@ -36,8 +39,13 @@ public class SecurityConfig {
 	private StaticResourceConfig staticResource;
 
 	@Bean
-	public HttpSessionEventPublisher listener() {
-		return new HttpSessionEventPublisher();
+	public SessionRegistry sessionRegistry() {
+		return new SessionRegistryImpl();
+	}
+
+	@Bean
+	public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionListener() {
+		return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
 	}
 
 	/**SecurityFilterChain을 반환한다.
@@ -48,7 +56,12 @@ public class SecurityConfig {
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		http.authorizeHttpRequests(conf ->
-				conf.antMatchers("/login.do", "/logout.do", "/error/*.do").permitAll()
+				conf.antMatchers(
+						"/login.do",
+						"/logout.do",
+						"/error/*.do",
+						"/api/**/*.do"
+					).permitAll()
 					.antMatchers("/**/*.do").access(authorizationManager())
 					.anyRequest().authenticated()
 			)
@@ -68,7 +81,9 @@ public class SecurityConfig {
 			.sessionManagement(conf ->
 				conf.invalidSessionUrl("/error/invalidSession.do")
 					.sessionConcurrency(config ->
-						config.expiredUrl("/error/sessionExpired.do")
+						config
+							.expiredUrl("/error/sessionExpired.do")
+							.sessionRegistry(sessionRegistry())
 					)
 			)
 			.authenticationManager(authenticationManager())
@@ -85,7 +100,9 @@ public class SecurityConfig {
 	 */
 	@Bean
 	public WebSecurityCustomizer webSecurityCustomizer() {
-		return conf -> conf.ignoring().antMatchers(staticResource.getURLs(null));
+		return conf -> conf.ignoring()
+			.antMatchers("/api/**/*.do")
+			.antMatchers(staticResource.getURLs(null));
 	}
 
 	/**AuthenticationSuccess(로그인 성공 핸들러)를 반환한다.