My application has a requirement that when it expires, that the user be given an opportunity to re-enter their user name/password to “refresh” the session and continue on (rather than creating a new session).
My idea is to make the actual HttpSession arbitrarily long, and then have a shorter timeout value that I check.
My question is, where in vaadin would it be best to check this (pretty low level I would imagine), and would it be possible from there to force a login form on top of the application to reauthenticate?
AbstractApplicationServlet.service() might be the place to start looking at. I don’t know if blocking only UIDL requests or all requests is necessary in your case, but AAS.service() calls CommunicationManager.handleUidlRequest() to do any UIDL processing.
If you want to display a modal dialog instead of performing the user action, it might be possible to hook into AbstractCommunicationManager and create the modal dialog instead of performing the user action, but this is not trivial. This way, the user action that led to showing the dialog is probably lost, in addition to any changes sent with it (e.g. changes to non-immediate fields). Unfortunately, it looks like ACM.handleVariables() is private, so you might have to have a patched copy of the class.
Working on this level, you might also hit other private APIs that might change between Vaadin versions, so be prepared to re-test and possibly re-patch the one or two classes you touch when upgrading.