hi,
i’m trying to figure out how to redirect the browser back to the login page on a session timeout. more generally, on a session timeout, communication error, internal error, or out of sync error, i’d like to navigate to spring’s /j_spring_security_logout handler, which will take the user back to the login screen.
i’m using vaadin 6.7.8 with jboss 7.0.2. i’m also using spring security.
in my application class, i have the following constants
private static final String LOGOUT_URL = "/j_spring_security_logout";
private static final String APP_CONTEXT_PATH = "/app";
private static final String FULL_LOGOUT_URL = APP_CONTEXT_PATH + LOGOUT_URL;
in my application’s init() method, i have
String appContextPath = ((WebApplicationContext)getContext()).getHttpSession().getServletContext().getContextPath();
setLogoutURL(appContextPath + LOGOUT_URL);
in my application class, i’ve written the following getSystemMessages method
public static SystemMessages getSystemMessages() {
CustomizedSystemMessages m = new CustomizedSystemMessages();
m.setSessionExpiredNotificationEnabled(false);
m.setSessionExpiredURL(FULL_LOGOUT_URL );
m.setCommunicationErrorNotificationEnabled(false);
m.setCommunicationErrorURL(FULL_LOGOUT_URL );
m.setInternalErrorNotificationEnabled(false);
m.setInternalErrorURL(FULL_LOGOUT_URL );
m.setOutOfSyncNotificationEnabled(false);
m.setOutOfSyncURL(FULL_LOGOUT_URL );
return m;
}
and to help with debugging, i’ve overridden Application.close()
@Override
public void close() {
super.close();
}
if i force a CommunicationError (e.g. i take down JBoss while a browser has loaded the app, then perform an action in the browser that requires server communication) i see the browser navigate as expected to the FULL_LOGOUT_URL .
i also have a ‘Sign Out’ button in my app, which when clicked calls getApplication().close(). as part of this processing, i see the client redirected to the logoutUrl (AbstractCommunicationManager.endApplication() makes this happen)…
on a session timeout, Application.close() is called, as i expect. but we never redirect the client to logoutUrl or FULL_LOGOUT_URL. AbstractCommunicationManager.endApplication() is not called. if the user attempts to use the application in a browser after the session has timed out (e.g. they click something that makes a backend call), we’ll get a CommunicationError, which will force the user back to the FULL_LOGOUT_URL . but i’d like the client to automatically be taken to FULL_LOGOUT_URL (or logoutUrl) on a session timeout, without manual interaction required.
is there a way to accomplish this?
ideally i’d like the client to ‘know’ it was a session timeout (and not any old CommunicationError) so that i can include a message like ‘Your session timed out’ on the login screen. but at least initially, if i can make the app navigate back to logoutUrl/FULL_LOGOUT_URL without the user having to click something, that’d be great.
thanks.
-mike
On a page like that, you could drop the refresh interval to every 25 minutes and forget about it. There’s still the burden on the server of keeping a session around, but you at least lose the security problem if you’re manually checking and invalidating the session while a user is logged in. (In other words, manually track sessions while the user is logged in, but use the refresher and don’t track on a login page.)