System Messages containing Login-Page

Hi all,

I have a Problem with the System Messages and our Login-Page.
We secured our Vaadin-Application with Servlet-Security from Jetty. So if you aren’t authenticated jetty redirects you to a login-page where the user is authenticated over a Realm. Afterwards it succesfully redirects the user to the required page in the Vaadin App.

Now to the problem. If I have a Communication-Error Vaadin displays a System Message. The System Message has the Header/Caption, the Message itself and some details. So far so good.
The Problem now is, that the details also contains the login Page that should only be displayed after the user clicks Esc or hits the Message so the Page reload is triggered.

Does anyone now how I can configure the Details and make sure that the login page is not displayed in the SystemMessage?
In the CustomizedSystemMessages I can only set the Caption, Message and URL.
I use Vadin 7.3 if this is relevant.

Thanks in advance for any help

Don’t know if my question and self-answer will help you:!/thread/9306028

Thanks for the tip, i’ll try too.
Thats the exact same problem I have here too.
And it shows that may Forum search was bad as I didn’t find your Thread before :wink:

Well that actually does work for me too.
But isn’t this killing the complete security container? As in my understanding, and I hope thats correct, all other Request-Types would be allowed and the container only redirects get. At least if I use http-method in the security constraints…
At least i think it is that if it’s not listed there it is allowed. So if I only include GET doesn’t this mean all other requests are OK and don’t need redirection?

Or how did you do make sure only authenticated user can access your System? I personally do like the serlvet-container security as it should block all access.

Copying my reply from the other thread:

Ok I did found a hack for the Login-Page issue. Not a nice one but works.
I can just hide the page over css with display: none then I don’t see it in system message.

So far it works ok, if I click on the message it forwards me to the login-page where i can do my authentication.
Problem now is, afterwards I doesn’t display me the page I was before but Jetty forwards me to this URL:

http://localhost:8080/myapp/UIDL/?v-uiId= The content is following plain text:

for(;;);[{“resources”:{},“syncId”:-1,“locales”:{},“meta”:{“appError”:{“message”:“Take note of any unsaved data, and click here or reload the page to continue.”,“caption”:“Session Expired”}},“changes”:{}}]

[/code]Now I am wondering where this UIDL thing is coming from as it doesnt go to the VaadinServlet. If I manualy remove the UIDL… from the URL it works fine.

oh just as a side note, I tried the String Vaadin-Refresh. The Reload works fine, only problem is, that then I don’t see the system message anymore and find myself immediatly at the login page.
So this doesn’t allow the user to take any notes, therefore not really practical.
Nevertheless the UIDL-Message still appears after the authentication.

I asume that the system-Message somehow tries to send this to the server therefore the container-security forwards me to the loginpage and afterwards to the requested URL; in this case the one with the UIDL

Using a typical Tomcat setup, only GET and POST will methods will be allowed (I believe). You have to do extra configuration to allow PUT and DELETE, and I doubt that Vaadin itself supports them.

For us, while a user can “trick” the system to display the Vaadin page using a POST, in our system they are still not logged in, so the Vaadin app is displayed as mostly a blank page with a logoff button. The contents of the Vaadin page are built based on being logged in, which we can check by looking for our logged in user in the session. And if the session has expired, Vaadin correctly displays the communications/session-expired red alert box on the subsequent UIDL POST requests (either clicking on something or eventually from a heartbeat).

The GET check we use allows for a natural redirect should they reload their page or bookmark the URL after logging into our Vaadin app. For us, our login page is a “/” and when they are logged in they are in “/ui”. So if they bookmark anything with the “/ui” path in it, or click reload, we just redirect to our login page.

I don’t understand why a redirect on the POST UIDL results in a redirect and sucking in that response into the red alert box, though. That seems like a bug to me as you cannot interact with the red box, unless it’s part of the design so I could include a custom message inside the red box by redirecting to an “message page.”

Jup same goes for Jetty. By default only support GET and POST Methods so no problem for PUT and DELETS.
Anayway I also specified them in the web.xml, just to be on the save side :slight_smile:

In addition we included a check in the Servlet that checks every request if a known Principal is available and if not it reponse with a HTTP 401 Unauthorized. This doesn’t forward the user to the login page but also prevents any user to acces the Application even if he uses a fake POST request to get there.

We also offer functionality in the Application based on the Principal so even if he would be able to load the Application there would be nothing there except the logout button.

For now this workaround does the trick for us, but still not to happy with it. Because I also don’t see a reason why the redirect result is in the System message, especially if I get there once I click on the Message. I think the redirection should only be there if required.