logging out (application.close()) from within onRequestStart

General
1

Hi,

I need to make some checks and eventually log the user out from within application’s onRequestStart().
However, calling application’s close() method effectively clears the session, but the code flow which originated the call persists, so code “goes on running” (and generates missing privileges exceptions, etc.).

Is there a way - maybe a dirty trick by playing with request/response objects? - to clear the session and go back to your home window from within onRequestStart()?

Thanks very much for your help,

Marco

2

I have more or less the same question
in this thread
. In my case, I can do the timing checks and invalidate the session from within the listener I attach to the Refresher add on. (Except for a problem I’ve discussed in another thread about “unexpected calls from client to server” it all works perfectly!)

In your case, I don’t have a good answer, but a BIG hack would be to add a
mouse listener
 to all your buttons and check for logout there. Not a great idea, but it may work. :slight_smile:

I hope there’s a better solution to this. Maybe we need an RFE…

Cheers,
Bobby

3

Hi Bobby,

yes, I think our problems are actually the same one, so the whole question should be maybe reformulated as: “is there any way to discard a UIDL request”?

wow, a huge hack indeed… :slight_smile:

thanks for answering, let’s see if there’s some other hint by anyone… :slight_smile:

Marco

4

I’ve been able to nearly get what I was searching for by calling close() and then throwing a RuntimeException.
It may not be “elegant” (the application shows “Internal error…”), but it essentially forces the user to log in again, so it works. (The downside is that you cannot automatically redirect the user to the login window.)

Bye,
Marco

5

I can share with you how we did login logout checks, it may be a bit hacky, but work for us :slight_smile:
This solution does not clear the session and you can log in again within the same session, with another user.

We store the loginname in a servletContext attribute to prevent double logins:

    private void ui_sessionLogout()
{
	if(activeUser != null) // to catch if the session times out before anoyone logged in
	{
		String loginname = activeUser.getLoginname();
		
		if(UI_isSessionLoggedIn(loginname))
			((WebApplicationContext) application.getContext()).getHttpSession().getServletContext().removeAttribute("loginName:" + loginname);
	}
}

private void ui_sessionLogin(String loginname)
{
	((WebApplicationContext) application.getContext()).getHttpSession().getServletContext().setAttribute("loginName:" + loginname, new Object());
}

public boolean UI_isSessionLoggedIn(String loginname)
{
	WebApplicationContext context = (WebApplicationContext) application.getContext();
	
	if(context == null)
		return false;
	
	return ( context.getHttpSession().getServletContext().getAttribute("loginName:" + loginname) != null);
}

On normal logout just
{
ui_sessionLogout();
//goto login screen
}

To log out on session timeout just overide close in the Application.

    @Override
public void close() 
    {
	ui_sessionLogout()
	super.close();
}

One thing we have not solved is logging out when the user quit the browser.
It is possible to catch this case with a closeListner on the main window, but this is mixed up with refresh button in the browser, and you do not want to log out on refresh .

6

thanks, but my case seems different: I want the administrator to be able to logoff any logged in user,

take the following example:
a) I suspect that user Paul is misusing my company’s data,
b) so I log in as Administrator and downgrade Paul by removing some capabilities from his account,
c) but, at this point, user Paul is already logged, his privilege schema has already been loaded into session and won’t be read again until a new login procedure,
d) so I need a way to “kick him off” :slight_smile:

that’s why I coded as explained above (onRequestStart + RuntimeException to stop the execution flow),

thanks,

Marco

7

You can acomplish that with our method:

Admin logs in and want kicks Paul:
//In code
((WebApplicationContext) application.getContext()).getHttpSession().getServletContext().removeAttribute(“loginName:” + “Paul”);

  • disable Pauls account in some way

Paul want to continue what he is doing:

//in the method onRequestStart:
if ( ! UI_isSessionLoggedIn(“Paul”))
{
//goto login screen
// + maybe give an explanation ?
}

//Paul tries to log in again (within the same session)
//He cant, he has lost his rights

I also tried to use the session object to solve this issue, but using the servlet context worked better.

Good Luck! :slight_smile:

8

If you just end the user’s session, won’t it effectively do what you want? Does it really matter that the UI presentation be particularly nice in such an odd scenario? I mean, I presume the next action the user took would get a session error just like they do if it times out naturally.

9

this is what I tried first, but it won’t work - at least, it didn’t work for me,

for example, if Paul presses a button in the window he’s currently using, the execution flow will be:
onRequestStart > session check > new window loading > old window button’s buttonClick() event
(the last part being unnecessary and possibly ugly/dangerous)

so thanks for your trick explanation, which in some ways is similar to what I did and I’m doing, except for the last part: I don’t “goto login screen” but I throw an ugly but efficient RuntimeException :slight_smile:

thanks,

Marco

10

Hi David and thank you too for answering,

yes, that’s actually what I ended up with: the session being definitely closed and an exception being throws to stop the execution of previously called methods,

and yes, the downside is only that the user gets a red error, which forces him to relogin()… which is IMHO acceptable :slight_smile:

thanks very much,

Marco