Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
Other User's HttpSession invalidation in Vaadin 14 + Spring Boot
I'm currently using Spring Boot, Vaadin 14 and Tomcat 9.0.27. Basically I want to log other users out from the app by invalidating/expiring target user's session. For example an admin locks normal user's account and this should result in user's session invalidation. I used following example as a guideline for my solution https://www.baeldung.com/spring-security-track-logged-in-users#alternative-method-using-sessionregistry. Basically I queried from SessionRegistry all of user's active SessionInformation's and expired them like this
SessionInformation.expireNow(). This solution seems to work since after expiring all user's active sessions the user is redirected to login page since the user is no longer considered to be authenticated by Spring Security. Still I'm not sure if my solution is stable/good since right after a user's session is expired I get following errors in log.
2020-01-16 13:28:25.720 ERROR 960 --- [sphere-Shared-0] c.v.f.s.c.PushAtmosphereHandler : Exception in push connection java.io.IOException: Connection remotely closed for c94479c4-5b63-43be-af84-e3d2346ccf8c at org.atmosphere.websocket.WebSocket.write(WebSocket.java:230) at org.atmosphere.websocket.WebSocket.write(WebSocket.java:220) at org.atmosphere.websocket.WebSocket.write(WebSocket.java:46) at org.atmosphere.cpr.AtmosphereResponseImpl$Stream.write(AtmosphereResponseImpl.java:957) at org.atmosphere.handler.AbstractReflectorAtmosphereHandler.onStateChange(AbstractReflectorAtmosphereHandler.java:155) at com.vaadin.flow.server.communication.PushAtmosphereHandler.onStateChange(PushAtmosphereHandler.java:52) at org.atmosphere.cpr.DefaultBroadcaster.invokeOnStateChange(DefaultBroadcaster.java:1037) at org.atmosphere.cpr.DefaultBroadcaster.prepareInvokeOnStateChange(DefaultBroadcaster.java:1057) at org.atmosphere.cpr.DefaultBroadcaster.executeAsyncWrite(DefaultBroadcaster.java:871) at org.atmosphere.cpr.DefaultBroadcaster$2.run(DefaultBroadcaster.java:474) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834) 2020-01-16 13:28:25.722 ERROR 960 --- [sphere-Shared-0] c.v.f.server.communication.PushHandler : Could not get resource. This should never happen.
I don't really know what this error actually means but it must have something to do with Spring managed session invalidation. Does anyone know what this error message means and in addition how does Vaadin handle it's sessions if I validate HttpSession via Spring's SessionRegistry? One of my main concerns is that Vaadin's managed sessions might not be removed/expired by Vaadin once HttpSession is invalidated by
I've been investigating the issue and it seems that if I disable @Push annotation I don't get the stack trace in op anymore. The issue might be that once I expire the session Atmosphere framework doesn't know about it and still tries to write to this connection which has been tampered with from outside of it's control.