Vaadin and Shiro/Spring security

Does Vaadin users servlet session to store all state? Does Vaadin creates threads?

There is wiki article and it uses ThreadLocal storage to hold state for unknown reason. This should fail because servlet container usually uses thread pool.

Will frameworks like Apache Shiro/Spring security work smooth with vaadin? I mainly mean static methods like SecurityContext.getCurrentUser() which can be called from anywhere.

I’m confused and need help about it.

Take a look at the transactionStart and transactionEnd method. transactionStart is called at the beginning of the http request and transactionEnd at the end of the request. The ThreadLocal variable is updated in these methods. If you do not update the ThreadLocal variable in these methods, then it will fail because of thread pooling, just like you mentioned.

I’m not familiar with Apache Shiro/Spring security so can’t help you on that. Maybe someone else can comment on this subject? I do recall that there has been threads on the forum about spring security and Petter is currently
writing an article
about it.

The question is why should it be ThreadLocal? Its value is stored in vaadin application object which should be stored i guess servlet session so no updates are needed at all. Am i wrong?

To be able to access the variable in a static way. I think there is an error in the example code

public SMSApp getInstance()
        return currentApplication.get ();

This should most likely be a static method. Otherwise I do not see any need for the ThreadLocal.

I spent a whole evening on this threadlocal thing with shiro 1.2 : basically if you dont get it right, shiro subject will expire as soon as thread changes.

Solution: use shiro’s ShiroFilter to initialize it. Add the following into your web.xml and don’t do any initialization in your vaadin application just directly use SecurityUtils.getSubject()