Vaadin Session / JWT add custom Data

Hi everyone and a happy new year. I need to add some custom data (key-value) to the session or into JWT. Those data are often needed in the whole application and are bounded to a logged in user.

I tried to add it to VaadinSession, but i cant find the right place where to add it (should be only added one time after login)

I am useing Spring Security with a UserServiceImpl and DAOAuthenticator.

Currently i have added the following to my MainLayout (Constructor), but i dont know it that is reliable. Are there any suggestions?

 private void addSessionData() {
        if (VaadinSession.getCurrent().getAttribute("myKey") == null) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication != null) {
                String userName = authentication.getName();
                String myValue= userRepository.findSupplierIdByCustomerNumber(userName);
                VaadinSession.getCurrent().setAttribute("myKey", myValue);
            }
        }
    }

on the other hand i use setStatelessAuthentication(http, new SecretKeySpec(Base64.getDecoder().decode(JWT_AUTH_KEY), JwsAlgorithms.HS256),"xx.wp", 86400); isnt there a way to add data to the JWT which i can read from any UI View?

Your solution is not bad. Adding it to the JWT is not possible because this must be done when the token is generated.

But instead of using VaadinSession.getCurrent() I would recommend to use Spring Bean with VaadinSessionscope:

@Component
@VaadinSessionScope 
public class SessionData {

    // State attributes and getters/setters
}

That way it’s type-safe and you can inject the bean where you need it.

4 Likes

Ah great thank you! Makes it a lot easier if i want to add more date. Then i can use Getter/Setter instead of getting the value via the key which i need to look for every time :slight_smile:

2 Likes

I have now implemented it but have an issue which is not userfriendly, does anyone has an idea:

I set a customerNumber to the VaadinSession, a user navigate to a site where i read the customernumber from the session. Assume the user keeps this page open and i restart the server. When he then reloads the page, the session is gone and the page shows NPE because it cant find the customer number in session.

Would it be better to store this customer number in browser session?

I think i missused the vaadin session in this use case

Is the customer number secret data?

Sorry, stupid question. Initially you wanted to write it into the JWT.

I would suggest to use a cookie

A cookie of course its also a way. But if the user clears his browser cache and re-visit the page some days later, i must implement a check “no cookie? > need to login again” but the JWT is deleted as well because he deleted his browser data or? So he must go to login anyway to login and sets the cookie as well.

Another solution would be to get the authenticated user each time i need the customerNo and check in the database for the number, with the username of the authenticated user. Then i dont need any storage in browser because the username is available in spring security, right? But this will leed to into heavy database requests when sometimes a lot of useres maybe browse the App.

Where is the Problem? Just get rid of the NPE. You have the user… just query for the customer number again if it’s missing and store it in the session (again) for the really rare occurrence that the server is rebooted.

If you need the customer number for data access you could simply do a join with the customer table no need to fetch the customer number separately

Ok yeah sounds easy. I could (if no customer No is available in the session) query the customer again and re-add it to the session. Easy :smiley: :man_facepalming: