{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 \"骚年 ilove 的问题《How to close a vaadin session but keep http sessio》','https://www.manongdao.com/q-819654.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm developing a vaadin 7 application with user authentication and authorization using jaas with a realm defined in the application server (glassfish).
I have this requirements:
A user can stay logged in for some time, so that he doesn't need to enter his password every time.
I do this by setting the session timeout of the http session.The vaadin session can lock some resources and while locked, no other session can use this resource. All locked resources are released when the vaadin session is closed.
I set the heartbeat intervall to only 15 seconds.
I'm not able to get both requirements to work at the same time.
If I set the http session timeout to a minute, the resources are released a minute after closing the browser, but the user is not authenticated the next time.
If I set the the https session timeout to some days, the user is authenticated for this time but the vaadin session is not instantly closed after 3 missed heartbeats. It will only be closed when the user uses the application the next time with the same http session.
How is it possible to achieve both requirements?
Here more information the the technology I'm using:
- Glassfish 4
- web-app 3.1
- vaadin 7.1.7
- vaadin-cdi 1.0-SNAPSHOT
Thanks for any Help
You might want to have a look st Spring Security and especially Remember-Me Authentication - an alternative I personally would use instead of trying to implement a secure persistent login myself.
If you want to go the DIY path:
I think that trying to separate the Vaadin from the Http Session is not such a good idea. The Application lifecycle section of the Vaadin book says:
Perhaps you could change your solution of the first requirement ("A user can stay logged in for some time, so that he doesn't need to enter his password every time.") to by separating the login credentials from the http session?
You could store some timed-stamped and unique-id as a cookie (with expire-date) and customize the
VaadinServletwith your ownSessionInitListenerandSessionDestroyListenerto check for it (and set it) and either require the login credentials or accept the credentials from the client depending on the checks you do on the server.There is some ambiguity in your question, but I believe you can resolve it by using your own close() method. You could create your own Vaadin Application class, with a custom close() method, or use TPTApplication and override its close() method:
Make sure the close is called when the session is closed, and do your cleanup there. This will also be called when the session ends.
If you can't ensure this (ie. if the user just closes the window and you don't have some javascript to deal with this), you can intercept the window close with Vaadin, but its quite a bit more work. When the user tries to close the window, you interrupt the process, do what you need to do via a callback, and then let the close occur. The details on how to do the interrupting from vaadin are shown here:
The callback is client side only, so you will have to make a call to the server (Get/POST via javascript) that will pass along the session id to a servlet that you have listening for this. The servlet would then release the locks using the passed in session id.
The key is listening for the window to close and being able to respond to it appropriately.