如何关闭 vaadin 会话但在浏览器关闭时保持 http 会话? [英] How to close a vaadin session but keep http session when browser closed?

问题描述

我正在开发一个带有用户身份验证和授权的 vaadin 7 应用程序，使用 jaas 和在应用程序服务器 (glassfish) 中定义的领域.

I'm developing a vaadin 7 application with user authentication and authorization using jaas with a realm defined in the application server (glassfish).

我有这个要求:

• 用户可以保持登录状态一段时间，这样他就不需要每次都输入密码.
  我通过设置 http 会话的会话超时来做到这一点.

vaadin 会话可以锁定某些资源，并且在锁定时，其他会话无法使用此资源.当 vaadin 会话关闭时，所有锁定的资源都会被释放.
我将心跳间隔设置为仅 15 秒.

The vaadin session can lock some resources and while locked, no other session can use this resource. All locked resources are released when the vaadin session is closed.
I set the heartbeat intervall to only 15 seconds.

我无法同时满足这两个要求.如果我将http session timeout设置为一分钟，关闭浏览器后一分钟释放资源，但是下次用户没有通过认证.
如果我将 https 会话超时设置为几天，则此时​​用户已通过身份验证，但 vaadin 会话不会在 3 次心跳丢失后立即关闭.只有当用户下次使用相同的 http 会话使用该应用程序时，它才会关闭.

I'm not able to get both requirements to work at the same time. If I set the http session timeout to a minute, the resources are released a minute after closing the browser, but the user is not authenticated the next time.
If I set the the https session timeout to some days, the user is authenticated for this time but the vaadin session is not instantly closed after 3 missed heartbeats. It will only be closed when the user uses the application the next time with the same http session.

如何才能同时满足这两个要求?

How is it possible to achieve both requirements?

这里有更多关于我使用的技术的信息:

Here more information the the technology I'm using:

• 玻璃鱼 4
• 网络应用 3.1
• vaadin 7.1.7
• vaadin-cdi 1.0-快照

感谢您的帮助

推荐答案

你可能想看看 st Spring Security 尤其是 记住我身份验证 - 我个人会使用的替代方法，而不是尝试自己实现安全的持久登录.

You might want to have a look st Spring Security and especially Remember-Me Authentication - an alternative I personally would use instead of trying to implement a secure persistent login myself.

如果你想走DIY之路:

If you want to go the DIY path:

我认为试图将 Vaadin 与 Http Session 分开并不是一个好主意.Vaadin 书籍的应用程序生命周期部分 说:

I think that trying to separate the Vaadin from the Http Session is not such a good idea. The Application lifecycle section of the Vaadin book says:

当一个新客户端连接时，它会创建一个新的用户会话，由 VaadinSession 的一个实例表示.使用浏览器中存储的 cookie 跟踪会话.… [Vaadin Session] 还通过 WrappedSession 提供对低级会话对象 HttpSession 和 PortletSession 的访问.

When a new client connects, it creates a new user session, represented by an instance of VaadinSession. Sessions are tracked using cookies stored in the browser. … [The Vaadin Session] also provides access to the lower-level session objects, HttpSession and PortletSession, through a WrappedSession.

也许您可以将第一个要求的解决方案(用户可以保持登录状态一段时间，这样他就不需要每次都输入密码.")将登录凭据与 http 会话分开?

Perhaps you could change your solution of the first requirement ("A user can stay logged in for some time, so that he doesn't need to enter his password every time.") to by separating the login credentials from the http session?

您可以将一些时间戳和唯一标识存储为 cookie(带有过期日期)和 使用您自己的 SessionInitListener 和 SessionDestroyListener 自定义 VaadinServlet 以检查它(并设置它)，并根据您在服务器上所做的检查，需要登录凭据或接受来自客户端的凭据.

You could store some timed-stamped and unique-id as a cookie (with expire-date) and customize the VaadinServlet with your own SessionInitListener and SessionDestroyListener to check for it (and set it) and either require the login credentials or accept the credentials from the client depending on the checks you do on the server.

这篇关于如何关闭 vaadin 会话但在浏览器关闭时保持 http 会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！