session expiration redirection page not in error box

Hi everybody,

i’m glad to post a new message on this board but unfortunately it’s to try to find somebody to solve my problem.

I’m pretty new with Vaadin, and don’t have any experience with it.

My problem is based on a session expiration with spring security authentification with Navigator7 addon.

The pages who’s call in my menu ares loaded by a ajax call. But when i call my button menu, the session expiration send me a “HTTP 302 Moved Temporarily” and the redirection is show in the Communication Problem box error.

I want to redirect the whole login page directly in the main page.

What’s the concept i don’t understood or what the way to solve ?

Thank’s you so much !



I’ve just ran into the same situation from a different angle which makes me believe that VAADIN client should understand common http response codes (rather than just its own).

One would like to implement security servlet filter and redirect user to a static login page before getting anywhere further. If somehow security context is not available, it will send a redirect and VAADIN client code would respond to it accordingly regardless of request type (normal or ajax/uidl request).

Thought I should post it here to get some attention/confirmation before creating a feature request.


I’m also seeing this issue. I am also seeing the content of the login page to which the user is redirected displayed within the notification.

Anyone else seeing this or have a solution?


We’re working on this (
ticket #8241 in trac

Vaadin already understands many HTTP status codes, but there are none in the HTTP spec that mean “You should login via the form I sent you.” 403 Forbidden means “This is always forbidden to you, don’t try again”, and 401 Unauthorized means the client should try HTTP Basic/Digest Authentication. Another option would be to use a custom header, but certain firewalls remove unrecognized headers from HTTP messages.

Vaadin 7 will improve the communication protocol, making it easier to support things like what is required here, but in the meantime, I committed a patch that adds support for a special token that can be inserted into the response body, causing Vaadin to refresh the current page or load a given URL.

For instance, if a servlet filter serves a login page as the response to a UIDL request, having the string Vaadin-Refresh anywhere in the HTML (say, in a comment) will cause Vaadin to synchronously refresh the page, loading the login page itself. You can also say Vaadin-Refresh: /myLogin to do a redirect to /myLogin.

Does the above seem sufficient or is there a use case where something more sophisticated is required?



I tried the “Vaadin-Refresh” text, it works, but it is not as good as the original “Session expired” message. The page just suddenly disappears to the login form. It would be better, if some message would be displayed with a link to refresh or redirect the page.

Where exactly do i jave to add the string “Vaadin-Refresh”? Somwhere inside the vaadin-application?

Hi Johannes.

I’m not sure why you need a Custom headers.

The Client should detect a change in JSESSIONID cookie instead and react to this differently.

With new sessions the Vaadin client is not really involved since the Servlet will send a Http 302 Moved Temporarily to the original request.

However when the Session expires most of the Form based authentication implementations will simply initiates a new session and reply with the content of the login form.
The simplest way to detect this is to compare the requests JSESSIONID with the responce’s JSESSIONID , if they changed Vaadin client should not interprate the response as UIDL… It should consider it as a reset and set the Browsers DOM to the the content of the response.

Is this solution still valid with Vaadin 7?