Shiro, Vaadin, push and logging out

[Nolan Darilek <no...@thewordnerd.info>]

Hi.

I've been using Shiro for a few months now in other web frameworks, and 
am quite happy with it. I then tried on Vaadin, and now I'm having some 
issues.

To clarify, things seem to work fine with stock Vaadin. I found a sample 
Git repository and was able to authenticate against Shiro quite painlessly.

Problems arose when I tried plugging in the DontPush web sockets addon. 
Specifically, I cannot log out. I see in the logs that I'm logged out, 
but the cookie never gets cleared, and subsequent application loads show 
me as still remembered. If I don't check my "Remember me" option, 
everything works. So the problem seems to be with the cookie sticking 
around.

I've seen the javadoc for logout(), stating that it must be called 
before any content is rendered. I'm calling Vaadin's close() method 
immediately before (though I've done after as well), which should 
invalidate the session. Is there any workaround for a situation where 
you want to log out a subject and are invalidating the session manually 
yourself, but don't have control over the immediate rendering pipeline 
to clear the cookie?

A couple things that come to mind: I don't know a whole lot about 
filters, or indeed about how Shiro gets from a cookie to a subject, but 
if logout() could invalidate the cookie payload on Shiro's end somehow, 
and if the filter could let invalid cookies through to my app, then I 
can watch for the cookie and clear it manually.

I'm also wondering if it's possible to delay the cookie clearing until 
the next request somehow? Some way to mark the subject such that it 
isn't logged out immediately, but will be the next time Shiro gets a 
chance to write some headers?

Any other suggestions would be greatly appreciated. I'm in a bit over my 
head with this, and am still trying to understand the magic that all of 
these frameworks are taking care of for me.