Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
Session sharing the logged in user
Hi!
This must be basic but I have researched a LOT and it doesn't make any sense at all...
I have this Authentication class that, after a login it stores the user to the session. Ok.
Then I have a abstract definition of a view that on 'enter' checks if the current user is null and, if so, navigate
back to the login screen (to prevent acess to views).
The problem is that when my friend logs in the site, I can access the locked views in his account just by typing the URL
in the browser.
This is my authentication class:
http://pastebin.com/jt3xFurA
When any of my views 'enter' they call the 'enter' method that calls this from the abstract view:
@Override
public void enter(ViewChangeEvent event) {
main.updateCurrentUser();
}
Which is:
/**
* Updates the topbar current user or goes to login screen
*/
public void updateCurrentUser() {
titleBar.updateCurrentUser();
// Leave if no user
if (Authentication.currentUser() == null) {
if (!navigator.getState().equals(Navigation.LOGIN)
&& !navigator.getState().equals(Navigation.CREATEUSER)) {
navigator.navigateTo(Navigation.LOGIN);
}
}
}
Current user should return null for me since I havent logged in. My friend did but that should be in his session, shouldn't it?
For any given URL a user's access has a unique UI instance but shares the same session. Your Authentication.currentUser() call will return the data last put there, which in your example, is your friends user data. You would need a separate key for each UI (not re-use "CURR_USER"), or store user data in each UI rather than in the common session.
I added a
public static long GENID = 0L;
private long ID = 0L;
to my UI and I'm using "currentUserSessionKey + ID" as key to the session:
long ID = ((InvoidwebUI) UI.getCurrent()).getID();
So my setSessionAttribute is like this:
private static void setSessionAttribute(String key, Object attribute) {
long ID = ((InvoidwebUI) UI.getCurrent()).getID();
// Save to vaadin session
VaadinSession.getCurrent().setAttribute(key + ID, attribute);
VaadinSession.getCurrent().getSession().setAttribute(key + ID, attribute);
}
And still the same behavior is happening.
My UI ID's are beeing created in the init call:
@Override
protected void init(VaadinRequest request) {
[...]
// Increase the ui id, store this ui id
ID = GENID++;
}