I've implemented a Web application using Spring MVC. The Web application is integrated in a system that has a desktop user interface. I would like to allow users to close Web application's sessions from the destkop GUI.
I tried implementing a non very elegant solution: invoke httpsession's invalidate but it breaks sometimes when the session being invalidated is used within a running http request. It throws an IllegalStateException at DispatcherServlet when it is trying to invoke render (specifically at WebUtil.getSessionAttribute) because it is trying to access a session attribute and the session is already invalid.
So my question is: is there any way to kick a user from its session from a non-http-request thread without having conflicts with running http requests? Or at least a conflict that I can manage.
Thanks,
Jorge
You could hand-roll a mechanism involving a static set of sessions that you want to expire, and a servlet filter that checks this set for the current session, then calls session.invalidate and redirects the user cleanly. Your desktop API would simply add a session to this set, and the user would become invalidated cleanly (in an HTTP request thread) upon the following request.
In order to prevent memory leaks, you would also need a listener to remove a session from this set upon invalidation- thus ensuring that this set only contains valid sessions.