Managing Multiple Logins

Hi,
We have a usecase that we cannot get implemented in Vaadin. If a user is logged into machine A and then logs into machine B as well, we want to invalidate his logged-in session on machine A so that he is only logged into machine B. When there is any activity on his now invalid session on machine A (user gets back to his office and clicks a link, or whatever), we want to redirect him to the login page. Currently it seems that Vaadin is unable to handle this situation in a user-friendly manner. We get big red exception popups and we are also unable to redirect the user back to the login page.

How can we solve this in Vaadin?

Thanks in advance.

Hi,

I think that I cannot understand your question…

If the problem is the way in which the information about the expired session is shown by vaadin, you can customize the messages offered by vaadin extending the com.vaadin.Application.CustomizedSystemMessages you can see more information about how to di this in
this forum thread
, you can also modify the redirect URL for that case.

If that isn’t the problem, I don’t understand what you ask for, because Vaadin is Java (essentially), and whatever you can do with java, you can do with Vaadin… The Session’s related things, doesn’t depends purely on Vaadin.

Cheers,

Javi

Hi Javi,
Thanks for your reply. The problem is how Vaadin handles it, not the actual invalidation of the session. We do not want the Vaadin red popup to display at all. When a user attempts an action on machine A (after logging into machine B and having his session on machine A automatically invalidated) we want to redirect the user to a login page without any other Vaadin errors or messages appearing. The thing that I did not mention before is that our login page is a JSP page outside our Vaadin application. My apologies for this.

We have been using the book “Learning Vaadin” by Nicolas Frankel and the book says: “Never ever send redirects response streams outside the current Vaadin application…”. Unfortunately our architecture does not allow us to do it differently. Do you have any ideas?

Thanks in advance.

Hi,

Right now I know what you are trying to do.

If the problem is related to the way you have to redirect, i.e. you don’t want the SystemMessages notification, maybe you can develop an aspect that catches the calls to handleServiceSessionExpired in AbstractApplicationServlet.

As de method definition is:

void handleServiceSessionExpired(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException {

In the aspect you can do:

response.sendRedirect("loginForm.jsp");

And then, you can force to the joinPoint skip the execution, obviously you need to define a Before Execution JoinPoint.

Hope you can understand what I’m trying to explain, if not, feel free to ask!

Is a quick solution that I think in a few minutes, I’m sure that there are others much better than this one.

Cheers,

Javi

Hi Javi,
At this stage of our project we are unable to use aspects. Why is this “handleServiceSessionExpired()” method defined with default access? Can we get this method with protected access? We extend this class in our own custom Vaadin application servlet and it would be the easiest thing for us to be able to override this method if it had been protected, but alas it is not and we are unable to introduce aspects into our code at this stage.

Kind regards.

Hi again,

I don’t know why it’s defined with default access. Maybe someone of Vaadin Dev Team could you explain that…

Why don’t you try to create your custom SystemMessages overriding com.vaadin.Application.CustomizedSystemMessages, doing this, you can send to the user the message you want, something like “Your session has been invalidated due to a Login in other Machine. Please click here to login again. Sorry for the annoyances” or whatever you want.

The code of your custom system messages could be like, I use a Singleton in my app and works fine:


package com.mycompany.sys;

import com.vaadin.Application.CustomizedSystemMessages;

public class MyCustomSystemMessages extends CustomizedSystemMessages {
    protected String sessionExpiredURL = "login.jsp";
    protected boolean sessionExpiredNotificationEnabled = true;
    protected String sessionExpiredCaption = "Session started in other machine<br />";
    protected String sessionExpiredMessage = "Your session has been invalidated due to a Login in other Machine. <br /> " + 
                                             "Please click here to login again. Sorry for the annoyances";
    private static MyCustomSystemMessages instance_;

    private MyCustomSystemMessages() {
    }
    
    public synchronized static MyCustomSystemMessages getInstance() {
        if (instance_ == null ) instance_= new MyCustomSystemMessages();
        return instance_;
    }

    @Override
    public String getSessionExpiredURL() {
        return this.sessionExpiredURL;
    }

    @Override
    public boolean isSessionExpiredNotificationEnabled() {
        return this.sessionExpiredNotificationEnabled;
    }

    @Override
    public String getSessionExpiredCaption() {
        return this.sessionExpiredCaption;
    }

    @Override
    public String getSessionExpiredMessage() {
        return this.sessionExpiredMessage;
    }

}

And in your class that extends the AbsrtactApplicationServlet:



public MyApplicationServlet extends  extends AbstractApplicationServlet {
    // your methods

    @Override
    protected SystemMessages getSystemMessages() {
        return MyCustomSystemMessages.getInstance();
    }

}

HTH,

Javi

Hi Javi,
Thank you very much for your suggestions and code snippets. We will try this and see if it helps.

Thank you!