Hi Community,
I have a question puzzling me where I would need some additional eyes to put me on the right track again.
Currently using Vaadin 14, Spring boot and Spring security 2.1.0 (but have tested with Vaadin 10 and 12 as well → same behaviour).
WebSecurityConfig :
http
.csrf().disable()
.authorizeRequests()
//.antMatchers("/vaadinServlet/**").permitAll()
//.antMatchers("/vaadinServlet/HEARTBEAT/**").permitAll()
//.antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
//.defaultSuccessUrl("/console")
.defaultSuccessUrl("/")
.permitAll()
.and()
.logout()
//.logoutSuccessHandler(logoutSuccessHandler())
//.logoutSuccessUrl("/")
.permitAll();
//.invalidateHttpSession(true)
//.deleteCookies("JSESSIONID");
Problem description :
After performing a logout and performing a relogin, the user is always redirected to a vaadinServlet push (blank) page.
Either the user needs to manually change the URL in the address bar (to see the application again) or i need to close the browser session and reopen one to relogin.
If i disable the @Push command, then the logout/login is behaving fine. This behaviour is only reproducible with @Push set on the mainlayout.
Steps to reproduce :
1. Login to the application -> redirected to / with authenticated user
2. Press the logout button -> redirected to /login again
3. Relogin to the application -> redirected to /vaadinServlet/?v-r=push&v-uiId=0&v-pushId=61d5b1bd-bdfc-467d-8edc-65850b6c1e56&X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=090400fe-2161-4e65-aed2-6b7cf479bf5c&_=1569327047300 with authenticated user
Wanted behaviour :
On second login, just go to the mainpage / and not redirect to /vaadinServlet/?v-r=push…
My very cluttered logout section because i have tried tons of stuff :
// Redirect this page immediately
SecurityContextHolder.clearContext();
VaadinService.getCurrentRequest().getWrappedSession().invalidate();
// Hack to turn off PUSH on all UIs first. Doing it this way to try to avoid spurious PUSH sessions reactivating.
for( final UI ui : VaadinSession.getCurrent().getUIs() ) {
// ui.access((Command) new Runnable() {
// @Override
// public void run() {
// ui.getPushConfiguration().setPushMode(PushMode.DISABLED);
// }
// });
ui.access(new Command(){
@Override
public void execute() {
LOGGER.info(String.format("DISABLE PUSH : %s", ui.getPage().getClass().toString()));
ui.getPushConfiguration().setPushMode(PushMode.DISABLED);
}
});
}
// Force all UIs to be logged off when any UI logs off
for( final UI ui : VaadinSession.getCurrent().getUIs() ) {
ui.access(new Command(){
@Override
public void execute() {
LOGGER.info(String.format("SET LOCATION FOR : %s", ui.getPage().getClass().toString()));
ui.getPage().setLocation("/");
}
});
// ui.access((Command) new Runnable() {
// @Override
// public void run() {
// if ( ui instanceof EsfVaadinUI ) {
// EsfVaadinUI vui = (EsfVaadinUI)ui;
// vui.setLogoffUrlNormal();
// vui.getPage().setLocation(logoutUrl); // set the logoff page before we close the session
// }
// }
// });
}
getUI().get().getPage().executeJs("window.location.href='logout'");
//getUI().get().getPage().setLocation("/");
// Close the session
LOGGER.info(String.format("KOM IK HIER NOG IN SESSION CLOSE ?"));
getUI().get().getSession().close();
getUI().get().getPage().setLocation("/");
Questions that I have :
1. Am i supposed to redirect the user request ? Am i supposed to close any PUSH related sessions ?
2. Do I need to execute some commands in some specific order ?
3. Is there somebody willing to explain me in detail the logout logic in relation to Atmosphere ?
4. Should I take another approach ?
5. Is there any documentation out there that i just need to read to find the answer ?
Similar related issues that i found but have not revealed a solution to me :
https://vaadin.com/forum/thread/7885028
https://vaadin.com/forum/thread/15871148/spring-security-vaadin-push
Regards,
Jorn