V24 -> v25: changes in bean configuration

Gunnar2 · April 22, 2026, 12:16pm

I just had a hard time finding out that the way how VaadinAwareSecurityContextHolderStrategy bean is configured has changed from Vaadin 24 to 25.
Before, this happened in VaadinAwareSecurityContextHolderStrategyConfiguration (annotated with @Component), but now we have SpringSecurityAutoConfiguration (annotated with @AutoConfiguration).
This leads to a different order in which beans are created and since in this case the SecurityContextHolderStrategy is set to static SecurityContextHolder.strategy, it leads to a different behaviour e. g. in filters defined in SecurityFilterChains.

I searched the documentation, but couldn’t find any hint on this change. Would’ve been nice to add this to How to upgrade Vaadin applications.

Or is this snippet meant to be a hint?

knoobie · April 22, 2026, 11:07pm

It’s “just” now correctly instantiated as Bean, which you can overwrite as needed flow/vaadin-spring/src/main/java/com/vaadin/flow/spring/SpringSecurityAutoConfiguration.java at b861b29f9b1e766c2fb7cb8e14ba56a85e838b6f · vaadin/flow · GitHub

Gunnar2 · April 23, 2026, 6:33am

Of course, but nevertheless it’s a change of default behaviour. Don’t you agree that this is worth mentioning in an upgrade guide?

knoobie · April 23, 2026, 6:55am

Yes and no… this thing feels like an internal für Vaadin’s Web Security… which probably normal people won’t even notice that it is there

Gunnar2 · April 23, 2026, 12:04pm

I’d consider myself a normal person. I created my SecurityFilterChain according to Vaadin docs, and after upgrading from 24 to 25 it didn’t work anymore, so I don’t share your feeling that his is just an internal issue.

marcoc_753 · April 23, 2026, 3:11pm

At least the

and import the Vaadin security context holder strategy

is a leftover and should be removed from the upgrade guide.