Issue with User Session Persistence in Vaadin with Spring Security

Yosef2 · March 3, 2025, 4:34pm

Hi everyone,

I’m developing a Vaadin Flow application with Spring Boot and Spring Security and I’m facing an issue with user sessions.

I’m using SecurityContextHolder to retrieve the currently logged-in user.

I’m also using VaadinSession to try and maintain the session state.

However, when I refresh the page, the user gets logged out.

I was expecting the session to persist across page refreshes. Could someone guide me on how to properly handle user sessions in Vaadin to keep users logged in after a page refresh?

knoobie · March 3, 2025, 4:38pm

Did you check that the JSESSION cookie is the same after a refresh? If yes: the http session did not terminate and it’s more like a problem in your code instead of the Vaadin(Http)Session.

Tatu2 · March 3, 2025, 5:48pm

If you use VaadinWebSecurity, it configures the SecurityContextHolder to use VaadinSession, not HttpSession. This means that VaadinSession deseriallzation needs to be performed before SpringSecurity in your filter chain.

Yosef2 · March 3, 2025, 6:44pm

Can you explain more on that ?

Tatu2 · March 4, 2025, 6:36am

I really can’t without knowing more details on your setup.

Yosef2 · March 4, 2025, 6:51am

Here is my github repo

Tatu2 · March 5, 2025, 2:00pm

This is just a side observation. This storing of the user info in VaadinSession attribute is not necessary

github.com

Yosefnago/Java-fullstack-project/blob/master/src/main/java/com/v1/security/SecurityInitListener.java#L19


      
          import org.springframework.stereotype.Component;
          
          @Component
          public class SecurityInitListener implements VaadinServiceInitListener {
          
              @Override
              public void serviceInit(ServiceInitEvent event) {
                  event.getSource().addSessionInitListener(sessionInitEvent -> {
                      Authentication auth = SecurityContextHolder.getContext().getAuthentication();
                      if (auth != null && auth.isAuthenticated() && auth.getPrincipal() instanceof AccountantUser) {
                          VaadinSession.getCurrent().setAttribute(AccountantUser.class.getName(), auth.getPrincipal());
                      }
                  });
              }
          }

As I pointed above VaadinWebSecurity will configure the SecurityContextHolder to use VaadinSession already.

marcoc_753 · March 5, 2025, 3:13pm

To access user information you can also inject into your view the AuthenticationContext object provided by Vaadin.