Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
LoginForm as a view and sessions
I was trying to integrate the LoginForm as a "page view" to my main window so that it will switch in/out based on whether the user is logged in or not.
I put some code in the application's transactionStart() method to detect if a request comes in and the user is not logged in, I switch to the login view. This seems to work okay.
But when I logout, my code called close() and then ended the session and then switch to the login view, but of course this just causes the LoginForm to request a new session as it has to communicate with vaadin again. The result is that after a logoff, I do clear the user's session, but a new session is started. Normally, not a problem, but this session will hang around for the standard timeout and most often, the user will not login again.
The second issue is that if the user stays on the login page but doesn't login before the session times out, when they try to login, they get either session terminated errors or sometimes a communications problem ("invalid security key") which then causes the login page to be displayed again, but with whatever info they entered gone.
In the meantime, I've just implemented JSP pages for login and logoff and set it up to work. With my JSPs, the login page doesn't require a session, so a session doesn't start until they click the login button, and the logoff page ends the session, so it works like a champ.
But wondered if there's something I can do better to keep the login page as a view of my vaadin app rather than separate web pages.
I don't know if this is what you are searching for, but using Application.setLogoutURL(logoutURL), you can redirect to a non-Vaadin page when logging out (calling Application.close()), but remember to set the logout URL before closing the application. This way, you can ensure that no new Vaadin session is started. Note that calling Application.close() only closes the application, but doesn't (or at least, shouldn't) invalidate the HttpSession. If you have stored some sensitive information bound to the http session, you may call httpSession.invalidate() via some transaction listener (or maybe better, in the HttpServletRequestListener). This ensures that all your external http session-bound objects are removed (if any), when logging out. But that should be unnecessary, since using Vaadin, it is not a typical use case to explicitly bind data to the http session. By invalidating the http session, I don't think that URL redirection works... Correct me if I'm wrong.
However, if you want to show a Vaadin login view after you logged out, you have to accept the fact that a new Vaadin session will be created.
Thanks. Yeah, after realizing I'd have to override the LoginForm to do my own login layout (adding a checkbox to remember the username, which our label would be "Email" instead, and a link to reset the password through another process) anyway, it was easier to have a standalone login JSP and logoff JSP, with vaadin used for the logged-in state.
So for normal logout (setLogoutURL) I can go to my logout page with a standard message. Just part of our requirement, it auto-redirects to the login after a couple of seconds.
For unexpected errors (setSessionExpiredURL, setCommunicationErrorURL, setCommunicationErrorURL and setOutOfSyncURL), I can go to the logoff page with a message about the problem. In these scenarios, the auto-redirect to the login page doesn't take place so the user has time to review the issue.
Thanks again for your help.