Accessing VaadinSession in Spring AuthenticationProvider


I’m working on a Vaadin 14 application which needs to interface with a SOAP based webservice for databinding. I would like to wrap the Spring authentication around the SOAP authentication. When someone logs into my application I want it to attempt to log into the SOAP web service and only authenticate if SOAP login succeeds. I need to maintain the SOAP session for the duration of the Vaadin session and continue to use the authenticated SOAP session in data binding.

The flow should be:

For each unique visitor create a new SOAP session instance
Present loginForm to visitor
Authenticate visitor via SOAP session created earlier
Process visitor requests using Authenticated SOAP session

Currently I have a SessionService object that creates the SOAP session. LoginView instatiates the SessionService and stores the result in VaadinSession

public LoginView(@Autowired SessionService session) {
        VaadinSession.getCurrent().setAttribute(SessionService.class, session);

I have a CustomAuthenticationProvider and I’m trying to pull the VaadinSession data out so I can use the SOAP session for authentication.

VaadinSession vSession = VaadinSession.getCurrent();

vSession is null at this point. How can I access per session data in non-Vaadin threads?

Hi Matthew,

When you are getting the vSession, is that in a different thread than the UI interaction?

Edit - disregard, i noticed you wrote it is in a non-vaadin thread.

You may have to extend the VaadinServlet and manually keep track of sessions as they are created and destroyed. See Handling Session Initialization and Destruction in


do you have a specific need for it to be in VaadinSession? There is one VaadinSession per VaadinServlet.
Usually you are better off storing authentication related info in the HttpSession which you can easily access in all requests

I’m not sure if it needs to be in VaadinSession.

I have an Vaadin 14 Application protected by Spring Security. What I want to accomplish is everytime a user opens a new tab in their browser and connects to the application they are presented with a login screen. When they login I need to open a connection to another application via SOAP. As the user progresses through the Vaadin Application I want everything they do to use the same SOAP connection.


User A in browser tab 1 = SOAP Connection A1
User A in browser tab 2 = SOAP Connection A2
User B in browser tab 1 = SOAP Connection B1

i.e. I want to maintain separation of authentication for all users to the back end SOAP application.

I was using VaadinSession and getting a unique sessionID for each SOAP connection but I need to access that from the Spring Security context.


When a user connects to the Vaadin application they are unauthorized and are presented with the Vaadin Login page. This login page creates a new session object and stores it in VaadinSession.
When the user submits the loginForm they get run through Spring and end up in my CustomAuthenticationProvider. I need to access the session object, establish the SOAP connection and pass the authentication request to the SOAP server. If the SOAP server validates the authentication it is passed back through Spring to let the user into the Vaadin application.

The CustomAuthenicationProvider is not in the same thread as the loginForm/Vaadin and has no visibility to VaadinSession. I’m new to all of this, I’m looking into using Spring Beans, @ScopeProxy, etc.