search

vaadin / flow

Vaadin Flow is a Java framework binding Vaadin web components to Java. This is part of Vaadin 10+.
Apache License 2.0
609 stars 167 forks source link

VaadinAwareSecurityContextHolderStrategy should collaborate with customizations of the security context repository #19992

Open jorgheymans opened 1 week ago

jorgheymans commented 1 week ago

In our spring-security configuration we have this:

    http.securityContext(
            customizer ->
                // store the security context as request attribute and not session
                customizer.securityContextRepository(
                    new RequestAttributeSecurityContextRepository()))

However VaadinAwareSecurityContextHolderStrategy attempts to fetch the SecurityContext from the session first and falls back to a self managed ThreadLocal storage. Should it not just assume that, if a RequestAttributeSecurityContextRepository is configured, it can fetch it from there instead ?