Hi,
I’m currently using Spring Boot, Vaadin 14 and Tomcat 9.0.27. Basically I want to log other users out from the app by invalidating/expiring target user’s session. For example an admin locks normal user’s account and this should result in user’s session invalidation. I used following example as a guideline for my solution https://www.baeldung.com/spring-security-track-logged-in-users#alternative-method-using-sessionregistry. Basically I queried from SessionRegistry all of user’s active SessionInformation’s and expired them like this SessionInformation.expireNow(). This solution seems to work since after expiring all user’s active sessions the user is redirected to login page since the user is no longer considered to be authenticated by Spring Security. Still I’m not sure if my solution is stable/good since right after a user’s session is expired I get following errors in log.
2020-01-16 13:28:25.720 ERROR 960 --- [sphere-Shared-0]
c.v.f.s.c.PushAtmosphereHandler : Exception in push connection
java.io.IOException: Connection remotely closed for c94479c4-5b63-43be-af84-e3d2346ccf8c
at org.atmosphere.websocket.WebSocket.write(WebSocket.java:230)
at org.atmosphere.websocket.WebSocket.write(WebSocket.java:220)
at org.atmosphere.websocket.WebSocket.write(WebSocket.java:46)
at org.atmosphere.cpr.AtmosphereResponseImpl$Stream.write(AtmosphereResponseImpl.java:957)
at org.atmosphere.handler.AbstractReflectorAtmosphereHandler.onStateChange(AbstractReflectorAtmosphereHandler.java:155)
at com.vaadin.flow.server.communication.PushAtmosphereHandler.onStateChange(PushAtmosphereHandler.java:52)
at org.atmosphere.cpr.DefaultBroadcaster.invokeOnStateChange(DefaultBroadcaster.java:1037)
at org.atmosphere.cpr.DefaultBroadcaster.prepareInvokeOnStateChange(DefaultBroadcaster.java:1057)
at org.atmosphere.cpr.DefaultBroadcaster.executeAsyncWrite(DefaultBroadcaster.java:871)
at org.atmosphere.cpr.DefaultBroadcaster$2.run(DefaultBroadcaster.java:474)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
2020-01-16 13:28:25.722 ERROR 960 --- [sphere-Shared-0]
c.v.f.server.communication.PushHandler : Could not get resource. This should never happen.
I don’t really know what this error actually means but it must have something to do with Spring managed session invalidation. Does anyone know what this error message means and in addition how does Vaadin handle it’s sessions if I validate HttpSession via Spring’s SessionRegistry? One of my main concerns is that Vaadin’s managed sessions might not be removed/expired by Vaadin once HttpSession is invalidated by SessionInformation.expireNow().