Edit: Moved to correct forum.
Edit 2: It seems like this is an intermittent issue - the problem only occurs after Tomcat has been idle for 1-3 minutes - the web.xml session timeout is set to 60 minutes currently.
I’ve recently started using Vaadin4Spring https://github.com/peholmst/vaadin4spring (without Spring Boot) as a replacement for the third party SpringIntergration plugin but it appears to break when the @Secured annotation is used for anything but Vaadin View security, e.g. on Service layer methods called from Vaadin components (see stack dump bottom).
I think I know what’s causing this bug, the Authentication object is dropped from the SecurityContextHolder between requests. A quick fix would involve storing Authentication after login in the Vaadin session and writing a servlet level request wrapper to restore the Authentication from the session back into the SecurityContextHolder but this is basically a hack.
Is Vaadin4Spring going to be updated to fix this and/or is there a more elegant solution for ensuring the SecurityContextHolder always has the successful Authentication object between requests?
Specifically the error encountered by the AOP @Secured proxy is:
Caused by: org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:339)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:198)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:60)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)