fix: allow access to SecurityContext for invalidated http session (#23004) (#23017)

vaadin-bot · knoobie · mcollovati · web-flow · commit d2c01e59b144 · 2025-12-17T14:11:37.000Z
Co-authored-by: Knoobie &lt;Knoobie@gmx.de&gt;
Co-authored-by: Marco Collovati &lt;marco@vaadin.com&gt;
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
@@ -69,11 +69,17 @@ private Optional<SecurityContext> getFromVaadinSession() {
         if (session == null || session.getSession() == null) {
             return Optional.empty();
         }
-        Object securityContext = session.getSession().getAttribute(
-                HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
-        if (securityContext instanceof SecurityContext) {
-            return Optional.of((SecurityContext) securityContext);
-        } else {
+        try {
+            Object securityContext = session.getSession().getAttribute(
+                    HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
+            if (securityContext instanceof SecurityContext context) {
+                return Optional.of(context);
+            } else {
+                return Optional.empty();
+            }
+        } catch (IllegalStateException ignored) {
+            // Session throws IllegalStateException when accessing
+            // attributes of an invalid session
             return Optional.empty();
         }
     }
diff --git a/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java b/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java
@@ -81,4 +81,22 @@ public void explicitUsedWhenNoSessionAvailable() {
         Assert.assertEquals(explicit,
                 vaadinAwareSecurityContextHolderStrategy.getContext());
     }
+
+    @Test
+    public void getContext_invalidateSession_getsThreadSecurityContext() {
+        SecurityContext explicit = Mockito.mock(SecurityContext.class);
+        vaadinAwareSecurityContextHolderStrategy.setContext(explicit);
+
+        VaadinSession vaadinSession = Mockito.mock(VaadinSession.class);
+        HttpSession httpSession = Mockito.mock(HttpSession.class);
+        Mockito.when(vaadinSession.getSession())
+                .thenReturn(new WrappedHttpSession(httpSession));
+        Mockito.doThrow(IllegalStateException.class).when(httpSession)
+                .getAttribute(
+                        HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
+        VaadinSession.setCurrent(vaadinSession);
+
+        Assert.assertEquals(explicit,
+                vaadinAwareSecurityContextHolderStrategy.getContext());
+    }
 }
