VaadinSession.getCurrent() is null

I use the LazyDownloadButton for creating a Button on one of my views in order to produce a PDF file preview. LazyDownloadButton is needed due to the filename is dynamic… Within the click handling lambda, I call my service method to create the PDF with user specific data. In order to get the current user I use the security context:

Authentication auth = SecurityContextHolder.getContext().getAuthentication();

But auth is null and also


return null. I introspect the client requests within the browser, all contains the same JSESSION cookie and the same csrf token within the json payload. For all other requests the auth returns the matching user as long as the SecurityContextHolderStrategy includes a lookup into the VaadinSession which is the case with included in Vaadin 23 (in contrast to Vaadin 14).
How can I put such requests into the current vaadin session ?

That looks very similar to this: security - Vaadin 14 and Push: Accessing Spring SecurityContext and Authentication outside the request thread - Stack Overflow

And this page should help you ( and Petter’s webinar Securing Vaadin apps with Spring Security: Best Practices | Vaadin )

This part of the video if I remember it correctly:

Thanks @faithful-emu for your response. But the solution shown by Petter I already use, first by manually implement those VaadinAwareSecurityContextHolderStrategy as mentioned in and later, after update to Vaadin23 I saw that such strategy is always in place coming from package. But the problem still remains, as the topic is already titled: the VaadinSession.getCurrent() is null. In this case, also the VaadinAwareSecurityContextHolderStrategy returns only an empty optional… I think the main question is, why the session is null if the underlying request contains the session cookie and the csrf token ?

I don’t know the lazy button but if it’s done in a thread to download a file that’s not related to Vaadin so that’s normal if the Vaadin session is null. You can get the auth from the main thread and save it ( like it’s done in stack overflow) . I thought there was multiple different solutions in the security webinar).