Using session listeners might have unexpected side-effects [V7]

[heruan]

While the Vaadin 8 module uses VaadinServiceInitListener to initialize the kit, the Vaadin 7 module doesn't have that interface available and it currently uses HttpSessionListener for the same purpose. This means that the kit is initialized, a scan is run and automatic scans are schedule for every session.

This is not optimal and we must consider a better approach, e.g. providing a custom VaadinService to hook up to initialization.

[Legioth]

Would it be enough to just add some logic to make make sure that only the very first HttpSessionListener triggers the actual initialization whereas later invocations would be no-ops because the initialization has already been started?

[tepi]

I think there's two issues here. First is that if we continue using HttpSessionListener we need to make sure the init is done only once. Second is that if the Vaadin application is integrated into another servlet-based application, VaadinService might be null at the session init time. We log a message for this case currently but we might need to provide a straight-forward way to do the AppSec Kit init in such case.

[Legioth]

private final AtomicBoolean initStarted = new AtomicBoolean();

VaadinService currentService = VaadinService.getCurrent();
if (currentService != null && !initStarted.getAndSet(true)) {
  init(currentService);
}

[heruan]

Closed in #53