Unexpected security context used when using `UI.access` across VaadinSessions

[Artur-]

Given a UI with e.g. account information showing the account balance for the currently logged in user

    private void updateBalanceText() {
        String name = utils.getAuthenticatedUserInfo().getFullName(); // <- Uses the security context
        BigDecimal balance = bankService.getBalance(); // <- Uses the security context
        this.balanceSpan.setText(String.format("Hello %s, your bank account balance is $%s.", name, balance));
    }

and a global "refresh" event listened to as

        registration = Broadcaster.addMessageListener(e -> {
            getUI().get().access(() -> this.updateBalanceText());
        });

you would expect that the security context used is the one associated with the UI you access. However, as the security context by default is tied to the thread using a threadlocal, you will end up with the following situation:

ui-access-does-not-set-security-context.mov