3

I'm developing a vaadin 7 application with user authentication and authorization using jaas with a realm defined in the application server (glassfish).

I have this requirements:

  • A user can stay logged in for some time, so that he doesn't need to enter his password every time.
    I do this by setting the session timeout of the http session.

  • The vaadin session can lock some resources and while locked, no other session can use this resource. All locked resources are released when the vaadin session is closed.
    I set the heartbeat intervall to only 15 seconds.

I'm not able to get both requirements to work at the same time. If I set the http session timeout to a minute, the resources are released a minute after closing the browser, but the user is not authenticated the next time.
If I set the the https session timeout to some days, the user is authenticated for this time but the vaadin session is not instantly closed after 3 missed heartbeats. It will only be closed when the user uses the application the next time with the same http session.

How is it possible to achieve both requirements?

Here more information the the technology I'm using:

  • Glassfish 4
  • web-app 3.1
  • vaadin 7.1.7
  • vaadin-cdi 1.0-SNAPSHOT

Thanks for any Help

raffael
  • 2,427
  • 4
  • 26
  • 42
  • 1
    Can you please clarify what kind of locked resources you have to release? Or do you mean resources in general? – Renat Gilmanov Oct 23 '13 at 16:40
  • Well in my case the resources are some entries in a database. I'm using my own locking mechanism. But the key question really is how to close a vaadin session without invalidating the http session after the browser was closed. My workaround now is to just release my locked db entries but keep the vaadin sesion. I have a timer that checks every minute if the heartbeat is still received. – raffael Oct 23 '13 at 20:50

2 Answers2

2

You might want to have a look st Spring Security and especially Remember-Me Authentication - an alternative I personally would use instead of trying to implement a secure persistent login myself.

If you want to go the DIY path:

I think that trying to separate the Vaadin from the Http Session is not such a good idea. The Application lifecycle section of the Vaadin book says:

When a new client connects, it creates a new user session, represented by an instance of VaadinSession. Sessions are tracked using cookies stored in the browser. … [The Vaadin Session] also provides access to the lower-level session objects, HttpSession and PortletSession, through a WrappedSession.

Perhaps you could change your solution of the first requirement ("A user can stay logged in for some time, so that he doesn't need to enter his password every time.") to by separating the login credentials from the http session?

You could store some timed-stamped and unique-id as a cookie (with expire-date) and customize the VaadinServlet with your own SessionInitListener and SessionDestroyListener to check for it (and set it) and either require the login credentials or accept the credentials from the client depending on the checks you do on the server.

xwoker
  • 3,105
  • 1
  • 30
  • 42
  • Thanks for the answer. To remember user is no really a problem for authentication only. Spring Security could be used or my own cookie with a token. This would decouple the authentication from the http session. But I'm also using authorization (@RolesAllowed annotation) and that's where the harder part of my problem is. Of course, I could take another framework for authorization too, but I do not really want to do that. – raffael Oct 30 '13 at 15:52
  • couldn't you use the authentication information when a user opens your application to do an auto-login. so there shouldn't be any need to change anything in your authorization code. or do i miss the point your making? – xwoker Oct 30 '13 at 16:51
  • On the first login I use username and password to do a programmatic login (HttpServletRequest.login()). As long as the http session exists this works for authorization. If I use a token to remember the user I would have to do a login based on that token. I don't know how to do that. Or I could remember the password somewhere in my application, but I don't like that idea. So keeping the http session for some time seems to be the best idea for me, but I'd like to close the vaadin session. – raffael Oct 31 '13 at 11:36
  • Good luck. If you find a solution please post it. I think it will be hard to attach a newly created Vaadin session to an existing http session without some hacking deep inside the framework. But I might be wrong. – xwoker Oct 31 '13 at 14:18
1

There is some ambiguity in your question, but I believe you can resolve it by using your own close() method. You could create your own Vaadin Application class, with a custom close() method, or use TPTApplication and override its close() method:

http://vaadin.com/directory#addon/toolkit-productivity-tools:vaadin

Make sure the close is called when the session is closed, and do your cleanup there. This will also be called when the session ends.

If you can't ensure this (ie. if the user just closes the window and you don't have some javascript to deal with this), you can intercept the window close with Vaadin, but its quite a bit more work. When the user tries to close the window, you interrupt the process, do what you need to do via a callback, and then let the close occur. The details on how to do the interrupting from vaadin are shown here:

https://vaadin.com/forum/#!/thread/44621/44668
https://vaadin.com/forum/#!/thread/83207/83206

The callback is client side only, so you will have to make a call to the server (Get/POST via javascript) that will pass along the session id to a servlet that you have listening for this. The servlet would then release the locks using the passed in session id.

The key is listening for the window to close and being able to respond to it appropriately.

Mark Waschkowski
  • 395
  • 1
  • 4
  • 10
  • Thanks for thinking about my problem, but I think this is not a solution for my problem. Overriding the UI.close() (I'm using vaadin 7) function is already done, but it is not called, because the vaadin session is not closed if the http session does not timeout. Catching browser closing event in javascript is possible, but it can't be assured that it will work in all cases (e.g. browser crash). I'd like to close a Vaadin Session from a timer thread or another session but keep the http session belonging to the closed vaadin session. – raffael Oct 28 '13 at 18:54