Micro Frontends and Spring Security

Hi All,

I have an environment where I use a number of Vaadin/Spring Boot apps as Micro Frontends to a main Vaadin/Spring Boot app.

I have now added spring security to the main app, (which is a SAML redirect to a different app to provide authentication), but not touched the other apps (yet). The security all works fine if I run the main app on its own (and keep the other apps turned ‘off’), I can navigate between tabs, click on things etc. If I fire up one of the Micro Frontend apps (which are exported by the WebComponentExporter etc) then once logged into the main app (via SAML) as soon as I navigate around and it shows one of the Micro Frontends I get a Spring Security error…

HttpSessionSecurityContext Repository - SecurityContext is empty or contents are anonymous - context will not be stored in a httpSession.


SecurityContextPersistenceFilter - SecurityContextHolder now cleared.

Which then stops Vaadin frontend from talking with the backend, due to the session nolonger being authenticated. (I guess).

Has anybody done/seen this before and can give some pointers??




Maybe it’s related to this problem: https://vaadin.com/forum/thread/18464903/allow-user-to-open-app-in-browser-more-than-once

Basically you are sharing the same cookie in these 2 applications, so if you go to one application it invalidates the session of the other application.

Ah yes, that makes sense, I will try that now.