Did you got any ideas on this one? As a newcomer to Flex/BlazeDS I'd like hear those?
I'll add my thoughts to the discussion you started.
2) How are people dealing with session time outs? (user clicking around in application and then they happen to make a server call but their session is gone. Do you simply poll every few minutes to keep the session alive?)
I check the session in a filter for each request. If there's no valid session, the filter sends a response message to flex app which shows it as a Alert message.I'm not (yet) using blaze, but I don't see why it wouldn't work.
If you want, you can configure the session timeout in the web.xml of your web app, so no need to poll. It would be nice to get asynchronous event from the server side when the session times out. This requires to use the pub/sub method of blaze or java messaging on a servlet.
The web.xml of the blazeDS samples has the following lines
<!-- Http Flex Session attribute and binding listener support --> <listener> <listener-class>flex.messaging.HttpFlexSession</listener-class> </listener>
To me this indicates that you can define a listener for the session somehow. It would be nice to know more about this.
3) Are people putting up a filter up before the blazeDS filter to check the user's session is valid? If the session isn't valid and you've set up a filter, what happens on the flex side of things if the filter finds an invalid session? It can only redirect for forward so how does it trigger the client flex app that it needs to invalidate its internal storage of an authenticated user and hence needs to redisplay the login page. I know how to set things up in a traditional java web app, but I'm a bit stumped here... I only have one main "FooBar.swf" file, so when the sesison filter realizes the user's session timed out where do I "go" - can I somehow just redirect to the same main page "FooBar.swf" and somehow Flex can be aware that "Hey ok some event happened so I need to invalidate my flex user and present the login page (login component)"
Why not just have different swfs? When the session is not valid, redirect to login.html (a wrapper for login component).
If I have understood correctly, Flex uses HTTP GET method to communicate with the browser. So it might be possible to send parameters to the app after the filter. Also, using java script and external interface might be helpful here.