I’m quite new to the Vaadin toolkit and I’m finishing my first application with it. I’m in point where I need to add authentication to the application. I’m running on weblogic and using custom security realm with form based authentication.
For login, I use jsp-page that posts normally to the j_security_check and after succesfull login user is forwarded to my Vaadin application.
I’m doing programmatic logout using weblogic.servlet.security.ServletAuthentication.logout(HttpServletRequest request) and weblogic.servlet.security.ServletAuthentication.invalidateAll(HttpServletRequest request).
After logout user is forwarded back to the login page but when the user tries to do the re-login from the login-page I get blank screen with IE and Firefox. In Google Chrome my Vaadin application is opened in correct way at this point.
This was caused by Spring security remembering the last request URL it saw (which in this case is the “window closed” message), and login re-executing that request for an already closed application rather than opening a new application.
I tested this again with nightly build and I still got the same problem. I tested with spring security and it works but by using it I will face other problems related the custom realm.
Is there a better way to access the HTTPServletRequest in my LoginHandler class than getting it with thread pattern? My current implementation feels a bit uggly.
In my application class I have following:
private HttpServletRequest request;
/*
* Set ThreadLocal application.
* @param ExampleApplication t
*/
public static void setProject(MyApplication) {
thisApplication.set(t);
}
/*
* Get ThreadLocal application.
*/
public static MyApplication getProject() {
return thisApplication.get();
}
/*
* For ThreadLocal pattern.
*/
public void transactionStart(Application application, Object transactionData) {
request = (HttpServletRequest)transactionData;
if (application == MyApplication.this) {
thisApplication.set(this);
}
}
public HttpServletRequest getRequest() {
return request;
}
Then I access the request object in my LoginHandler with MyApplication.getProject().getRequest() method so I can pass it to the weblogic session invalidate method.
Should I implement application close listener and execute weblogic session invalidate methods in there?
I tested the logout one more time and implemented it like you described but the result is still the same. I also created simple test application to test the logout functionality and I still get the blank window after re-login.
Application:
import com.vaadin.Application;
import com.vaadin.terminal.ExternalResource;
import com.vaadin.terminal.gwt.server.WebApplicationContext;
import com.vaadin.ui.Button;
import com.vaadin.ui.HorizontalLayout;
import com.vaadin.ui.SplitPanel;
import com.vaadin.ui.Window;
import com.vaadin.ui.Button.ClickEvent;
public class LoginTestApplication extends Application {
@Override
public void init() {
HorizontalLayout layout = new HorizontalLayout();
SplitPanel splitPanel = new SplitPanel(
SplitPanel.ORIENTATION_VERTICAL);
splitPanel.addComponent(layout);
setMainWindow(new Window("LoginTest", splitPanel));
layout.addComponent(new Button("Logout",
new Button.ClickListener() {
public void buttonClick(ClickEvent event) {
logout();
}
}));
}
private void logout(){
close();
getMainWindow().open(new ExternalResource(getURL().getPath()));
((WebApplicationContext)getContext()).getHttpSession().invalidate();
}
}