Hi.
I've been using Shiro for a few months now in other web frameworks, and
am quite happy with it. I then tried on Vaadin, and now I'm having some
issues.
To clarify, things seem to work fine with stock Vaadin. I found a sample
Git repository and was able to authenticate against Shiro quite painlessly.
Problems arose when I tried plugging in the DontPush web sockets addon.
Specifically, I cannot log out. I see in the logs that I'm logged out,
but the cookie never gets cleared, and subsequent application loads show
me as still remembered. If I don't check my "Remember me" option,
everything works. So the problem seems to be with the cookie sticking
around.
I've seen the javadoc for logout(), stating that it must be called
before any content is rendered. I'm calling Vaadin's close() method
immediately before (though I've done after as well), which should
invalidate the session. Is there any workaround for a situation where
you want to log out a subject and are invalidating the session manually
yourself, but don't have control over the immediate rendering pipeline
to clear the cookie?
A couple things that come to mind: I don't know a whole lot about
filters, or indeed about how Shiro gets from a cookie to a subject, but
if logout() could invalidate the cookie payload on Shiro's end somehow,
and if the filter could let invalid cookies through to my app, then I
can watch for the cookie and clear it manually.
I'm also wondering if it's possible to delay the cookie clearing until
the next request somehow? Some way to mark the subject such that it
isn't logged out immediately, but will be the next time Shiro gets a
chance to write some headers?
Any other suggestions would be greatly appreciated. I'm in a bit over my
head with this, and am still trying to understand the magic that all of
these frameworks are taking care of for me.
