From b0cb13ac3705a6bf84633023cfe15070d1e4da6c Mon Sep 17 00:00:00 2001
From: Artur Signell <artur@vaadin.com>
Date: Thu, 23 Sep 2021 09:26:37 +0300
Subject: [PATCH 1/6] Always use the security context from VaadinSession when
 one is available.

This ensures that the security context is the expected (the one from the UI you run access() on) if you run UI.access from a request to another VaadinSession.

Practical use case is e.g. sending a global 'refresh' event and the receipient updating the UI as a result.

Fixes #906
---
 vaadin-spring-tests/pom.xml                   | 10 +++
 .../test-spring-security-flow/pom.xml         | 12 +++
 .../spring/flowsecurity/SecurityUtils.java    |  6 ++
 .../flowsecurity/service/BankService.java     | 15 +++-
 .../flowsecurity/views/Broadcaster.java       | 31 +++++++
 .../flowsecurity/views/PrivateView.java       | 68 +++++++++++++++-
 .../flow/spring/flowsecurity/AbstractIT.java  | 81 +++++++++++++++++++
 .../flow/spring/flowsecurity/AppViewIT.java   | 68 +---------------
 .../flowsecurity/UIAccessContextIT.java       | 71 ++++++++++++++++
 ...dinAwareSecurityContextHolderStrategy.java | 69 ++++++++++++++++
 .../VaadinWebSecurityConfigurerAdapter.java   |  6 ++
 .../spring/SpringClassesSerializableTest.java |  1 +
 12 files changed, 368 insertions(+), 70 deletions(-)
 create mode 100644 vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java
 create mode 100644 vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
 create mode 100644 vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
 create mode 100644 vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java

diff --git a/vaadin-spring-tests/pom.xml b/vaadin-spring-tests/pom.xml
index 3bd05397a..321fe86ae 100644
--- a/vaadin-spring-tests/pom.xml
+++ b/vaadin-spring-tests/pom.xml
@@ -56,6 +56,16 @@
                 <artifactId>vaadin-upload-flow</artifactId>
                 <version>${vaadin.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.vaadin</groupId>
+                <artifactId>vaadin-dialog-flow</artifactId>
+                <version>${vaadin.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.vaadin</groupId>
+                <artifactId>vaadin-notification-flow</artifactId>
+                <version>${vaadin.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.vaadin</groupId>
                 <artifactId>vaadin-ordered-layout-flow</artifactId>
diff --git a/vaadin-spring-tests/test-spring-security-flow/pom.xml b/vaadin-spring-tests/test-spring-security-flow/pom.xml
index dda6c2210..720ab713e 100644
--- a/vaadin-spring-tests/test-spring-security-flow/pom.xml
+++ b/vaadin-spring-tests/test-spring-security-flow/pom.xml
@@ -36,10 +36,22 @@
             <groupId>com.vaadin</groupId>
             <artifactId>vaadin-tabs-flow</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-text-field-flow</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.vaadin</groupId>
             <artifactId>vaadin-upload-flow</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-dialog-flow</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.vaadin</groupId>
+            <artifactId>vaadin-notification-flow</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.vaadin</groupId>
             <artifactId>vaadin-login-flow</artifactId>
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityUtils.java b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityUtils.java
index 3b4b7013f..30150f4de 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityUtils.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/SecurityUtils.java
@@ -22,6 +22,12 @@ public class SecurityUtils {
 
     public UserDetails getAuthenticatedUser() {
         SecurityContext context = SecurityContextHolder.getContext();
+        if (context == null) {
+            throw new IllegalStateException("No security context available");
+        }
+        if (context.getAuthentication() == null) {
+            return null;
+        }
         Object principal = context.getAuthentication().getPrincipal();
         if (principal instanceof UserDetails) {
             UserDetails userDetails = (UserDetails) context.getAuthentication()
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/service/BankService.java b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/service/BankService.java
index 634cc634e..9d1f7895a 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/service/BankService.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/service/BankService.java
@@ -19,13 +19,25 @@ public class BankService {
     private SecurityUtils utils;
 
     public void applyForLoan() {
+        applyForLoan(10000);
+    }
+
+    public void applyForHugeLoan() {
+        applyForLoan(1000000);
+        try {
+            Thread.sleep(3000);
+        } catch (InterruptedException e) {
+        }
+    }
+
+    private void applyForLoan(int amount) {
         String name = utils.getAuthenticatedUser().getUsername();
         Optional<Account> acc = accountRepository.findByOwner(name);
         if (!acc.isPresent()) {
             return;
         }
         Account account = acc.get();
-        account.setBalance(account.getBalance().add(new BigDecimal("10000")));
+        account.setBalance(account.getBalance().add(new BigDecimal(amount)));
         accountRepository.save(account);
     }
 
@@ -34,4 +46,5 @@ public BigDecimal getBalance() {
         return accountRepository.findByOwner(name).map(Account::getBalance)
                 .orElse(null);
     }
+
 }
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java
new file mode 100644
index 000000000..482b4c642
--- /dev/null
+++ b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java
@@ -0,0 +1,31 @@
+package com.vaadin.flow.spring.flowsecurity.views;
+
+import com.vaadin.flow.component.Component;
+import com.vaadin.flow.component.ComponentEvent;
+import com.vaadin.flow.component.ComponentEventBus;
+import com.vaadin.flow.component.ComponentEventListener;
+import com.vaadin.flow.component.html.Div;
+import com.vaadin.flow.shared.Registration;
+
+public class Broadcaster {
+
+    private static Broadcaster instance = new Broadcaster();
+
+    private ComponentEventBus router = new ComponentEventBus(new Div());
+
+    public static class RefreshEvent extends ComponentEvent<Component> {
+        public RefreshEvent() {
+            super(new Div(), false);
+        }
+    }
+
+    public static void sendMessage() {
+        instance.router.fireEvent(new RefreshEvent());
+    }
+
+    public static Registration addMessageListener(
+            ComponentEventListener<RefreshEvent> listener) {
+        return instance.router.addListener(RefreshEvent.class, listener);
+    }
+
+}
\ No newline at end of file
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PrivateView.java b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PrivateView.java
index a835d1927..3c5ed6f81 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PrivateView.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/PrivateView.java
@@ -3,23 +3,34 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.math.BigDecimal;
+import java.time.LocalDateTime;
+import java.util.concurrent.Executor;
 
 import javax.annotation.security.PermitAll;
 
+import com.vaadin.flow.component.AttachEvent;
 import com.vaadin.flow.component.ClickEvent;
+import com.vaadin.flow.component.DetachEvent;
+import com.vaadin.flow.component.Text;
+import com.vaadin.flow.component.UI;
 import com.vaadin.flow.component.button.Button;
+import com.vaadin.flow.component.dialog.Dialog;
 import com.vaadin.flow.component.html.H4;
 import com.vaadin.flow.component.html.Image;
 import com.vaadin.flow.component.html.Paragraph;
 import com.vaadin.flow.component.html.Span;
+import com.vaadin.flow.component.notification.Notification;
 import com.vaadin.flow.component.orderedlayout.VerticalLayout;
 import com.vaadin.flow.component.upload.Upload;
 import com.vaadin.flow.router.PageTitle;
 import com.vaadin.flow.router.Route;
 import com.vaadin.flow.server.StreamResource;
+import com.vaadin.flow.shared.Registration;
 import com.vaadin.flow.spring.flowsecurity.SecurityUtils;
 import com.vaadin.flow.spring.flowsecurity.service.BankService;
 
+import org.springframework.security.concurrent.DelegatingSecurityContextExecutor;
+
 @Route(value = "private", layout = MainView.class)
 @PageTitle("Private View")
 @PermitAll
@@ -28,15 +39,27 @@ public class PrivateView extends VerticalLayout {
     private BankService bankService;
     private Span balanceSpan = new Span();
     private SecurityUtils utils;
+    private DelegatingSecurityContextExecutor executor;
+    private Registration registration;
 
-    public PrivateView(BankService bankService, SecurityUtils utils) {
+    public PrivateView(BankService bankService, SecurityUtils utils,
+            Executor executor) {
         this.bankService = bankService;
         this.utils = utils;
+        this.executor = new DelegatingSecurityContextExecutor(executor);
 
         updateBalanceText();
         balanceSpan.setId("balanceText");
         add(balanceSpan);
         add(new Button("Apply for a loan", this::applyForLoan));
+        add(new Button("Apply for a huge loan",
+                this::applyForHugeLoanUsingExecutor));
+
+        Button globalRefresh = new Button("Send global refresh event",
+                e -> Broadcaster.sendMessage());
+        globalRefresh.setId("sendRefresh");
+        add(globalRefresh);
+
         Upload upload = new Upload();
         ByteArrayOutputStream imageStream = new ByteArrayOutputStream();
         upload.setReceiver((filename, mimeType) -> {
@@ -57,16 +80,57 @@ public PrivateView(BankService bankService, SecurityUtils utils) {
         add(upload);
     }
 
+    @Override
+    protected void onAttach(AttachEvent attachEvent) {
+        super.onAttach(attachEvent);
+        attachEvent.getUI().setPollInterval(1000);
+        registration = Broadcaster.addMessageListener(e -> {
+            getUI().get().access(() -> this.updateBalanceText());
+        });
+    }
+
+    @Override
+    protected void onDetach(DetachEvent detachEvent) {
+        super.onDetach(detachEvent);
+        detachEvent.getUI().setPollInterval(-1);
+        registration.remove();
+    }
+
     private void updateBalanceText() {
         String name = utils.getAuthenticatedUserInfo().getFullName();
         BigDecimal balance = bankService.getBalance();
         this.balanceSpan.setText(String.format(
                 "Hello %s, your bank account balance is $%s.", name, balance));
-
     }
 
     private void applyForLoan(ClickEvent<Button> e) {
         bankService.applyForLoan();
         updateBalanceText();
     }
+
+    private void applyForHugeLoanUsingExecutor(ClickEvent<Button> e) {
+        Dialog waitDialog = new Dialog();
+        waitDialog.add(new Text("Processing loan application..."));
+        waitDialog.open();
+        UI ui = getUI().get();
+        Runnable runnable = new Runnable() {
+            @Override
+            public void run() {
+                try {
+                    bankService.applyForHugeLoan();
+                } catch (Exception e) {
+                    getUI().get().access(() -> {
+                        Notification
+                                .show("Application failed: " + e.getMessage());
+                    });
+
+                }
+                ui.access(() -> {
+                    updateBalanceText();
+                    waitDialog.close();
+                });
+            }
+        };
+        executor.execute(runnable);
+    }
 }
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
new file mode 100644
index 000000000..f4e96d29c
--- /dev/null
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
@@ -0,0 +1,81 @@
+package com.vaadin.flow.spring.flowsecurity;
+
+import com.vaadin.flow.component.login.testbench.LoginFormElement;
+import com.vaadin.flow.component.login.testbench.LoginOverlayElement;
+import com.vaadin.flow.testutil.ChromeBrowserTest;
+import com.vaadin.testbench.TestBenchElement;
+
+import org.junit.Assert;
+import org.openqa.selenium.WebDriver;
+
+public abstract class AbstractIT extends ChromeBrowserTest {
+
+    private static final String ROOT_PAGE_HEADER_TEXT = "Welcome to the Java Bank of Vaadin";
+    private static final String ANOTHER_PUBLIC_PAGE_HEADER_TEXT = "Another public view for testing";
+
+    protected void open(String path) {
+        open(path, getDriver());
+    }
+
+    protected void open(String path, WebDriver driver) {
+        driver.get(getRootURL() + "/" + path);
+    }
+
+    protected void loginUser() {
+        login("john", "john");
+    }
+
+    protected void loginAdmin() {
+        login("emma", "emma");
+    }
+
+    protected void login(String username, String password) {
+        assertLoginViewShown();
+
+        LoginFormElement form = $(LoginOverlayElement.class).first()
+                .getLoginForm();
+        form.getUsernameField().setValue(username);
+        form.getPasswordField().setValue(password);
+        form.submit();
+        waitUntilNot(driver -> $(LoginOverlayElement.class).exists());
+    }
+
+    protected void assertLoginViewShown() {
+        assertPathShown("login");
+        waitUntil(driver -> $(LoginOverlayElement.class).exists());
+    }
+
+    protected void assertRootPageShown() {
+        waitUntil(drive -> $("h1").attribute("id", "header").exists());
+        String headerText = $("h1").id("header").getText();
+        Assert.assertEquals(ROOT_PAGE_HEADER_TEXT, headerText);
+    }
+
+    protected void assertAnotherPublicPageShown() {
+        waitUntil(drive -> $("h1").attribute("id", "header").exists());
+        String headerText = $("h1").id("header").getText();
+        Assert.assertEquals(ANOTHER_PUBLIC_PAGE_HEADER_TEXT, headerText);
+    }
+
+    protected void assertPrivatePageShown(String fullName) {
+        assertPathShown("protected");
+        waitUntil(driver -> $("span").attribute("id", "balanceText").exists());
+        String balance = $("span").id("balanceText").getText();
+        Assert.assertTrue(balance.startsWith(
+                "Hello " + fullName + ", your bank account balance is $"));
+    }
+
+    protected void assertAdminPageShown(String fullName) {
+        assertPathShown("admin");
+        TestBenchElement welcome = waitUntil(driver -> $("*").id("welcome"));
+        String welcomeText = welcome.getText();
+        Assert.assertEquals("Welcome to the admin page, " + fullName,
+                welcomeText);
+    }
+
+    protected void assertPathShown(String path) {
+        waitUntil(driver -> driver.getCurrentUrl()
+                .equals(getRootURL() + "/" + path));
+    }
+
+}
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
index 39e2f0895..5f3c98b09 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
@@ -9,10 +9,7 @@
 import java.util.stream.Collectors;
 
 import com.vaadin.flow.component.button.testbench.ButtonElement;
-import com.vaadin.flow.component.login.testbench.LoginFormElement;
-import com.vaadin.flow.component.login.testbench.LoginOverlayElement;
 import com.vaadin.flow.component.upload.testbench.UploadElement;
-import com.vaadin.flow.testutil.ChromeBrowserTest;
 import com.vaadin.testbench.TestBenchElement;
 
 import org.apache.commons.io.IOUtils;
@@ -20,10 +17,8 @@
 import org.junit.Assert;
 import org.junit.Test;
 
-public class AppViewIT extends ChromeBrowserTest {
+public class AppViewIT extends AbstractIT {
 
-    private static final String ROOT_PAGE_HEADER_TEXT = "Welcome to the Java Bank of Vaadin";
-    private static final String ANOTHER_PUBLIC_PAGE_HEADER_TEXT = "Another public view for testing";
     private static final int SERVER_PORT = 8888;
     private static final String USER_FULLNAME = "John the User";
     private static final String ADMIN_FULLNAME = "Emma the Admin";
@@ -65,10 +60,6 @@ private void clickLogout() {
         getMainView().$(ButtonElement.class).id("logout").click();
     }
 
-    private void open(String path) {
-        getDriver().get(getRootURL() + "/" + path);
-    }
-
     @Test
     public void menu_correct_for_anonymous() {
         open("");
@@ -297,63 +288,6 @@ private TestBenchElement getMainView() {
         return waitUntil(driver -> $("*").id("main-view"));
     }
 
-    private void assertLoginViewShown() {
-        assertPathShown("login");
-        waitUntil(driver -> $(LoginOverlayElement.class).exists());
-    }
-
-    private void assertRootPageShown() {
-        waitUntil(drive -> $("h1").attribute("id", "header").exists());
-        String headerText = $("h1").id("header").getText();
-        Assert.assertEquals(ROOT_PAGE_HEADER_TEXT, headerText);
-    }
-
-    private void assertAnotherPublicPageShown() {
-        waitUntil(drive -> $("h1").attribute("id", "header").exists());
-        String headerText = $("h1").id("header").getText();
-        Assert.assertEquals(ANOTHER_PUBLIC_PAGE_HEADER_TEXT, headerText);
-    }
-
-    private void assertPrivatePageShown(String fullName) {
-        assertPathShown("private");
-        waitUntil(driver -> $("span").attribute("id", "balanceText").exists());
-        String balance = $("span").id("balanceText").getText();
-        Assert.assertTrue(balance.startsWith(
-                "Hello " + fullName + ", your bank account balance is $"));
-    }
-
-    private void assertAdminPageShown(String fullName) {
-        assertPathShown("admin");
-        TestBenchElement welcome = waitUntil(driver -> $("*").id("welcome"));
-        String welcomeText = welcome.getText();
-        Assert.assertEquals("Welcome to the admin page, " + fullName,
-                welcomeText);
-    }
-
-    private void assertPathShown(String path) {
-        waitUntil(driver -> driver.getCurrentUrl()
-                .equals(getRootURL() + "/" + path));
-    }
-
-    private void loginUser() {
-        login("john", "john");
-    }
-
-    private void loginAdmin() {
-        login("emma", "emma");
-    }
-
-    private void login(String username, String password) {
-        assertLoginViewShown();
-
-        LoginFormElement form = $(LoginOverlayElement.class).first()
-                .getLoginForm();
-        form.getUsernameField().setValue(username);
-        form.getPasswordField().setValue(password);
-        form.submit();
-        waitUntilNot(driver -> $(LoginOverlayElement.class).exists());
-    }
-
     private void refresh() {
         getDriver().navigate().refresh();
     }
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
new file mode 100644
index 000000000..1cfebfdc3
--- /dev/null
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
@@ -0,0 +1,71 @@
+package com.vaadin.flow.spring.flowsecurity;
+
+import com.vaadin.flow.component.button.testbench.ButtonElement;
+import com.vaadin.flow.component.login.testbench.LoginFormElement;
+import com.vaadin.flow.component.login.testbench.LoginOverlayElement;
+import com.vaadin.testbench.HasElementQuery;
+import com.vaadin.testbench.TestBench;
+import com.vaadin.testbench.TestBenchElement;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.openqa.selenium.By;
+import org.openqa.selenium.SearchContext;
+import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.chrome.ChromeDriver;
+import org.openqa.selenium.chrome.ChromeOptions;
+
+public class UIAccessContextIT extends AbstractIT {
+
+    private WebDriver createHeadlessChromeDriver() {
+        ChromeOptions headlessOptions = new ChromeOptions();
+        headlessOptions.addArguments("--headless", "--disable-gpu");
+        return TestBench.createDriver(new ChromeDriver(headlessOptions));
+    }
+
+    @Test
+    public void securityContextSetForUIAccess() {
+        String expectedUserBalance = "Hello John the User, your bank account balance is $10000.00.";
+        String expectedAdminBalance = "Hello Emma the Admin, your bank account balance is $200000.00.";
+
+        open("private");
+        loginUser();
+        TestBenchElement balance = $("span").id("balanceText");
+        Assert.assertEquals(expectedUserBalance, balance.getText());
+
+        WebDriver adminBrowser = createHeadlessChromeDriver();
+        open("private", adminBrowser);
+        HasElementQuery adminContext = new HasElementQuery() {
+
+            @Override
+            public SearchContext getContext() {
+                return adminBrowser;
+            }
+
+        };
+        loginAdmin(adminContext);
+        TestBenchElement adminBalance = adminContext.$("span")
+                .id("balanceText");
+        Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+
+        ButtonElement sendRefresh = $(ButtonElement.class).id("sendRefresh");
+        sendRefresh.click();
+        Assert.assertEquals(expectedUserBalance, balance.getText());
+        Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+
+        ButtonElement adminSendRefresh = adminContext.$(ButtonElement.class)
+                .id("sendRefresh");
+        adminSendRefresh.click();
+        Assert.assertEquals(expectedUserBalance, balance.getText());
+        Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+    }
+
+    private void loginAdmin(HasElementQuery adminContext) {
+        LoginFormElement form = adminContext.$(LoginOverlayElement.class)
+                .first().getLoginForm();
+        form.getUsernameField().setValue("emma");
+        form.getPasswordField().setValue("emma");
+        form.submit();
+    }
+
+}
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
new file mode 100644
index 000000000..b4c0d9095
--- /dev/null
+++ b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
@@ -0,0 +1,69 @@
+package com.vaadin.flow.spring.security;
+
+import com.vaadin.flow.server.VaadinSession;
+import org.springframework.lang.NonNull;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+
+import java.util.Optional;
+
+import static java.util.Objects.requireNonNull;
+
+public final class VaadinAwareSecurityContextHolderStrategy
+        implements SecurityContextHolderStrategy {
+
+    private final ThreadLocal<SecurityContext> contextHolder = new ThreadLocal<>();
+
+    @Override
+    public void clearContext() {
+        contextHolder.remove();
+    }
+
+    @Override
+    @NonNull
+    public SecurityContext getContext() {
+        // We must prefer the vaadin session information over the threadlocal as
+        // it is
+        // more specific. It makes a huge difference if you for instance to
+        // `otherSessionUI.access` in a request thread. In this case the
+        // security
+        // context is expected to reflect the "otherSession" and not the current
+        // request.
+        //
+        SecurityContext context = getFromVaadinSession()
+                .orElseGet(() -> contextHolder.get());
+        if (context == null) {
+            context = createEmptyContext();
+            contextHolder.set(context);
+        }
+        return context;
+    }
+
+    @NonNull
+    private Optional<SecurityContext> getFromVaadinSession() {
+        VaadinSession session = VaadinSession.getCurrent();
+        if (session == null) {
+            return Optional.empty();
+        }
+        Object securityContext = session.getSession().getAttribute(
+                HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
+        if (securityContext instanceof SecurityContext) {
+            return Optional.of((SecurityContext) securityContext);
+        } else {
+            return Optional.empty();
+        }
+    }
+
+    @Override
+    public void setContext(@NonNull SecurityContext securityContext) {
+        contextHolder.set(requireNonNull(securityContext));
+    }
+
+    @Override
+    @NonNull
+    public SecurityContext createEmptyContext() {
+        return new SecurityContextImpl();
+    }
+}
\ No newline at end of file
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurityConfigurerAdapter.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurityConfigurerAdapter.java
index 2050a77ab..2f01684b0 100644
--- a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurityConfigurerAdapter.java
+++ b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurityConfigurerAdapter.java
@@ -32,6 +32,7 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -85,6 +86,11 @@ public void configure(WebSecurity web) throws Exception {
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
+        // Use a security context holder that can find the context from Vaadin
+        // specific classes
+        SecurityContextHolder.setStrategyName(
+                VaadinAwareSecurityContextHolderStrategy.class.getName());
+
         // Vaadin has its own CSRF protection.
         // Spring CSRF is not compatible with Vaadin internal requests
         http.csrf().ignoringRequestMatchers(
diff --git a/vaadin-spring/src/test/java/com/vaadin/flow/spring/SpringClassesSerializableTest.java b/vaadin-spring/src/test/java/com/vaadin/flow/spring/SpringClassesSerializableTest.java
index 612317d9b..bae363d28 100644
--- a/vaadin-spring/src/test/java/com/vaadin/flow/spring/SpringClassesSerializableTest.java
+++ b/vaadin-spring/src/test/java/com/vaadin/flow/spring/SpringClassesSerializableTest.java
@@ -88,6 +88,7 @@ protected Stream<String> getExcludedPatterns() {
                 "com\\.vaadin\\.flow\\.spring\\.scopes\\.VaadinSessionScope",
                 "com\\.vaadin\\.flow\\.spring\\.scopes\\.AbstractScope",
                 "com\\.vaadin\\.flow\\.spring\\.scopes\\.VaadinUIScope",
+                "com\\.vaadin\\.flow\\.spring\\.security\\.VaadinAwareSecurityContextHolderStrategy",
                 "com\\.vaadin\\.flow\\.spring\\.security\\.VaadinWebSecurityConfigurerAdapter",
                 "com\\.vaadin\\.flow\\.spring\\.security\\.VaadinDefaultRequestCache",
                 "com\\.vaadin\\.flow\\.spring\\.security\\.VaadinSavedRequestAwareAuthenticationSuccessHandler",

From 0484d595e696c3231b1007a089a2c55cefb0cd48 Mon Sep 17 00:00:00 2001
From: Artur Signell <artur@vaadin.com>
Date: Thu, 23 Sep 2021 17:09:50 +0300
Subject: [PATCH 2/6] Maybe fix some test issues

---
 .../flow/spring/flowsecurity/AbstractIT.java  | 26 +++++++++++++++++++
 .../flow/spring/flowsecurity/AppViewIT.java   | 26 -------------------
 .../flowsecurity/UIAccessContextIT.java       |  1 -
 3 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
index f4e96d29c..591144eb8 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
@@ -5,6 +5,7 @@
 import com.vaadin.flow.testutil.ChromeBrowserTest;
 import com.vaadin.testbench.TestBenchElement;
 
+import org.junit.After;
 import org.junit.Assert;
 import org.openqa.selenium.WebDriver;
 
@@ -12,6 +13,31 @@ public abstract class AbstractIT extends ChromeBrowserTest {
 
     private static final String ROOT_PAGE_HEADER_TEXT = "Welcome to the Java Bank of Vaadin";
     private static final String ANOTHER_PUBLIC_PAGE_HEADER_TEXT = "Another public view for testing";
+    private static final int SERVER_PORT = 8888;
+
+    @Override
+    protected int getDeploymentPort() {
+        return SERVER_PORT;
+    }
+
+    @Override
+    protected String getRootURL() {
+        return super.getRootURL(); // + "/context";
+    }
+
+    @After
+    public void tearDown() {
+        if (getDriver() != null) {
+            checkForBrowserErrors();
+        }
+    }
+
+    private void checkForBrowserErrors() {
+        checkLogsForErrors(msg -> {
+            return msg.contains(
+                    "admin-only/secret.txt - Failed to load resource: the server responded with a status of 403");
+        });
+    }
 
     protected void open(String path) {
         open(path, getDriver());
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
index 5f3c98b09..371c63319 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AppViewIT.java
@@ -13,40 +13,14 @@
 import com.vaadin.testbench.TestBenchElement;
 
 import org.apache.commons.io.IOUtils;
-import org.junit.After;
 import org.junit.Assert;
 import org.junit.Test;
 
 public class AppViewIT extends AbstractIT {
 
-    private static final int SERVER_PORT = 8888;
     private static final String USER_FULLNAME = "John the User";
     private static final String ADMIN_FULLNAME = "Emma the Admin";
 
-    @Override
-    protected int getDeploymentPort() {
-        return SERVER_PORT;
-    }
-
-    @Override
-    protected String getRootURL() {
-        return super.getRootURL(); // + "/context";
-    }
-
-    @After
-    public void tearDown() {
-        if (getDriver() != null) {
-            checkForBrowserErrors();
-        }
-    }
-
-    private void checkForBrowserErrors() {
-        checkLogsForErrors(msg -> {
-            return msg.contains(
-                    "admin-only/secret.txt - Failed to load resource: the server responded with a status of 403");
-        });
-    }
-
     private void logout() {
         if (!$(ButtonElement.class).attribute("id", "logout").exists()) {
             open("");
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
index 1cfebfdc3..3ea417da9 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
@@ -9,7 +9,6 @@
 
 import org.junit.Assert;
 import org.junit.Test;
-import org.openqa.selenium.By;
 import org.openqa.selenium.SearchContext;
 import org.openqa.selenium.WebDriver;
 import org.openqa.selenium.chrome.ChromeDriver;

From d6450cc38d4e47dff17a62a2a6af6f0a034da8b7 Mon Sep 17 00:00:00 2001
From: Artur Signell <artur@vaadin.com>
Date: Thu, 23 Sep 2021 20:46:17 +0300
Subject: [PATCH 3/6] Fix test

---
 .../java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
index 591144eb8..17296c302 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
@@ -84,7 +84,7 @@ protected void assertAnotherPublicPageShown() {
     }
 
     protected void assertPrivatePageShown(String fullName) {
-        assertPathShown("protected");
+        assertPathShown("private");
         waitUntil(driver -> $("span").attribute("id", "balanceText").exists());
         String balance = $("span").id("balanceText").getText();
         Assert.assertTrue(balance.startsWith(

From bec48b8b8a35168fef4a75b6a8d77b9564beb265 Mon Sep 17 00:00:00 2001
From: Artur Signell <artur@vaadin.com>
Date: Thu, 23 Sep 2021 20:50:02 +0300
Subject: [PATCH 4/6] Fix test

---
 .../flowsecurity/UIAccessContextIT.java       | 67 +++++++++----------
 1 file changed, 32 insertions(+), 35 deletions(-)

diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
index 3ea417da9..f6d396ba6 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
@@ -4,59 +4,56 @@
 import com.vaadin.flow.component.login.testbench.LoginFormElement;
 import com.vaadin.flow.component.login.testbench.LoginOverlayElement;
 import com.vaadin.testbench.HasElementQuery;
-import com.vaadin.testbench.TestBench;
 import com.vaadin.testbench.TestBenchElement;
 
 import org.junit.Assert;
 import org.junit.Test;
 import org.openqa.selenium.SearchContext;
 import org.openqa.selenium.WebDriver;
-import org.openqa.selenium.chrome.ChromeDriver;
-import org.openqa.selenium.chrome.ChromeOptions;
 
 public class UIAccessContextIT extends AbstractIT {
 
-    private WebDriver createHeadlessChromeDriver() {
-        ChromeOptions headlessOptions = new ChromeOptions();
-        headlessOptions.addArguments("--headless", "--disable-gpu");
-        return TestBench.createDriver(new ChromeDriver(headlessOptions));
-    }
-
     @Test
-    public void securityContextSetForUIAccess() {
+    public void securityContextSetForUIAccess() throws Exception {
         String expectedUserBalance = "Hello John the User, your bank account balance is $10000.00.";
         String expectedAdminBalance = "Hello Emma the Admin, your bank account balance is $200000.00.";
 
-        open("private");
-        loginUser();
-        TestBenchElement balance = $("span").id("balanceText");
-        Assert.assertEquals(expectedUserBalance, balance.getText());
+        WebDriver adminBrowser = getDriver();
+        try {
+            super.setup();
+            open("private");
+            loginUser();
+            TestBenchElement balance = $("span").id("balanceText");
+            Assert.assertEquals(expectedUserBalance, balance.getText());
 
-        WebDriver adminBrowser = createHeadlessChromeDriver();
-        open("private", adminBrowser);
-        HasElementQuery adminContext = new HasElementQuery() {
+            open("private", adminBrowser);
+            HasElementQuery adminContext = new HasElementQuery() {
 
-            @Override
-            public SearchContext getContext() {
-                return adminBrowser;
-            }
+                @Override
+                public SearchContext getContext() {
+                    return adminBrowser;
+                }
 
-        };
-        loginAdmin(adminContext);
-        TestBenchElement adminBalance = adminContext.$("span")
-                .id("balanceText");
-        Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+            };
+            loginAdmin(adminContext);
+            TestBenchElement adminBalance = adminContext.$("span")
+                    .id("balanceText");
+            Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
 
-        ButtonElement sendRefresh = $(ButtonElement.class).id("sendRefresh");
-        sendRefresh.click();
-        Assert.assertEquals(expectedUserBalance, balance.getText());
-        Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+            ButtonElement sendRefresh = $(ButtonElement.class)
+                    .id("sendRefresh");
+            sendRefresh.click();
+            Assert.assertEquals(expectedUserBalance, balance.getText());
+            Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
 
-        ButtonElement adminSendRefresh = adminContext.$(ButtonElement.class)
-                .id("sendRefresh");
-        adminSendRefresh.click();
-        Assert.assertEquals(expectedUserBalance, balance.getText());
-        Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+            ButtonElement adminSendRefresh = adminContext.$(ButtonElement.class)
+                    .id("sendRefresh");
+            adminSendRefresh.click();
+            Assert.assertEquals(expectedUserBalance, balance.getText());
+            Assert.assertEquals(expectedAdminBalance, adminBalance.getText());
+        } finally {
+            adminBrowser.quit();
+        }
     }
 
     private void loginAdmin(HasElementQuery adminContext) {

From 3d8932d1f5e67a0d03fec9e17e1c28d369098aed Mon Sep 17 00:00:00 2001
From: Artur <artur@vaadin.com>
Date: Tue, 28 Sep 2021 12:12:51 +0300
Subject: [PATCH 5/6] Apply suggestions from code review

Co-authored-by: Mikhail Shabarov <61410877+mshabarov@users.noreply.github.com>
---
 .../spring/flowsecurity/views/Broadcaster.java  | 17 ++++++++++++++++-
 .../flow/spring/flowsecurity/AbstractIT.java    | 15 +++++++++++++++
 .../spring/flowsecurity/UIAccessContextIT.java  | 15 +++++++++++++++
 ...aadinAwareSecurityContextHolderStrategy.java | 17 ++++++++++++++++-
 4 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java
index 482b4c642..d94e8fc6c 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/main/java/com/vaadin/flow/spring/flowsecurity/views/Broadcaster.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2000-2021 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package com.vaadin.flow.spring.flowsecurity.views;
 
 import com.vaadin.flow.component.Component;
@@ -28,4 +43,4 @@ public static Registration addMessageListener(
         return instance.router.addListener(RefreshEvent.class, listener);
     }
 
-}
\ No newline at end of file
+}
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
index 17296c302..46c5d4638 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/AbstractIT.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2000-2021 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package com.vaadin.flow.spring.flowsecurity;
 
 import com.vaadin.flow.component.login.testbench.LoginFormElement;
diff --git a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
index f6d396ba6..28e46a880 100644
--- a/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
+++ b/vaadin-spring-tests/test-spring-security-flow/src/test/java/com/vaadin/flow/spring/flowsecurity/UIAccessContextIT.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2000-2021 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package com.vaadin.flow.spring.flowsecurity;
 
 import com.vaadin.flow.component.button.testbench.ButtonElement;
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
index b4c0d9095..7a6a131ed 100644
--- a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
+++ b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2000-2021 Vaadin Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
 package com.vaadin.flow.spring.security;
 
 import com.vaadin.flow.server.VaadinSession;
@@ -66,4 +81,4 @@ public void setContext(@NonNull SecurityContext securityContext) {
     public SecurityContext createEmptyContext() {
         return new SecurityContextImpl();
     }
-}
\ No newline at end of file
+}

From 8bf6e8aa26986ea1d5f49e504a6c347e0f84f738 Mon Sep 17 00:00:00 2001
From: Artur Signell <artur@vaadin.com>
Date: Tue, 28 Sep 2021 12:17:18 +0300
Subject: [PATCH 6/6] Docs

---
 ...dinAwareSecurityContextHolderStrategy.java | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
index 7a6a131ed..7763a5fd9 100644
--- a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
+++ b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
@@ -26,6 +26,13 @@
 
 import static java.util.Objects.requireNonNull;
 
+/**
+ * A strategy that uses an available VaadinSession for retrieving the security
+ * context.
+ * <p>
+ * Falls back to the default thread specific security context when no
+ * vaadinSession is available.
+ */
 public final class VaadinAwareSecurityContextHolderStrategy
         implements SecurityContextHolderStrategy {
 
@@ -39,14 +46,13 @@ public void clearContext() {
     @Override
     @NonNull
     public SecurityContext getContext() {
-        // We must prefer the vaadin session information over the threadlocal as
-        // it is
-        // more specific. It makes a huge difference if you for instance to
-        // `otherSessionUI.access` in a request thread. In this case the
-        // security
-        // context is expected to reflect the "otherSession" and not the current
-        // request.
-        //
+        /*
+         * We prefer the vaadin session information over the threadlocal as it
+         * is more specific. It makes a huge difference if you for instance to
+         * `otherSessionUI.access` in a request thread. In this case the
+         * security context is expected to reflect the "otherSession" and not
+         * the current request.
+         */
         SecurityContext context = getFromVaadinSession()
                 .orElseGet(() -> contextHolder.get());
         if (context == null) {