Problem with single-sign-on integration

We have implemented a project, where the customers login using SiteMinder (from CA) and are then redirected to our vaadin application. Everything on this end works fine, the user name from SiteMinder is part of the http-Header and we are able to retrieve that information using the vaadin onRequestStart() Method.

Each request, that the browser (and therefore the vaadin client code) sends, is automatically redirected through SiteMinder and we have no way of changing that. SiteMinder then checks the “SiteMinder session” and forwards the request to our application server running the vaadin application.

The problem we have, lies in the different session timeouts SiteMinder and vaadin have. In SiteMinder, once you login, your session times out automatically after say three hours (even if you worked, just a few minutes ago). If that happens, SiteMinder does not redirect the request, but forwards the request to the SiteMinder login page.

So, if you are in our application and eg. click a button, that triggers a vaadin UIDL request, this will then get forwarded to SiteMinder, SiteMinder will say “Oh, your session expired, please login again.” and return a HTML page content to the browser.
The client component of vaadin naturally does not understand HTML, but expects JSON and thus responds with an “ugly” CommunicationError Notification, which contains a “Syntax Error” and some garbled HTML stuff.

The customers not being aware of the works behind the curtain naturally complain about the CommunicationError Notification.

So, to cut things short, is there an easy way to change the way the UIDL response is handled,
so that we can detect the SiteMinder login box (eg. by looking at the http-reponse content) and then show a custom message with a redirect link?

We know, that we can rewrite the error text and the CSS, but that just won’t do, because sometimes the CommunicationError is just a CommunicationError
(we get those a lot by the way, being an application reachable through the Internet and some customers still using IE7) and not a problem with the expired SiteMinder Session.

What do we have to look at and which classes need extending?