vaadin · Artur- · Oct 7, 2021 · Oct 4, 2021 · Oct 6, 2021 · Oct 6, 2021
diff --git a/...c/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/...c/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java
@@ -54,7 +54,7 @@ public SecurityContext getContext() {
          * the current request.
          */
         SecurityContext context = getFromVaadinSession()
-                .orElseGet(() -> contextHolder.get());
+                .orElseGet(contextHolder::get);
         if (context == null) {
             context = createEmptyContext();
             contextHolder.set(context);
@@ -65,7 +65,7 @@ public SecurityContext getContext() {
     @NonNull
     private Optional<SecurityContext> getFromVaadinSession() {
         VaadinSession session = VaadinSession.getCurrent();
-        if (session == null) {
+        if (session == null || session.getSession() == null) {
             return Optional.empty();
         }
         Object securityContext = session.getSession().getAttribute(

diff --git a/...st/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java b/...st/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java
@@ -0,0 +1,64 @@
+package com.vaadin.flow.spring.security;
+
+import javax.servlet.http.HttpSession;
+
+import com.vaadin.flow.internal.CurrentInstance;
+import com.vaadin.flow.server.VaadinSession;
+import com.vaadin.flow.server.WrappedHttpSession;
+import com.vaadin.flow.server.WrappedSession;
+
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+
+public class VaadinAwareSecurityContextHolderStrategyTest {
+
+    private VaadinAwareSecurityContextHolderStrategy vaadinAwareSecurityContextHolderStrategy;
+
+    @Before
+    public void setup() {
+        vaadinAwareSecurityContextHolderStrategy = new VaadinAwareSecurityContextHolderStrategy();
+        CurrentInstance.clearAll();
+    }
+
+    @After
+    public void teardown() {
+        CurrentInstance.clearAll();
+    }
+
+    @Test
+    public void currentSessionOverrides() {
+        VaadinSession vaadinSession = Mockito.mock(VaadinSession.class);
+        HttpSession httpSession = Mockito.mock(HttpSession.class);
+        Mockito.when(vaadinSession.getSession()).thenReturn(new WrappedHttpSession(httpSession));
+        SecurityContext securityContext = Mockito.mock(SecurityContext.class);
+        Mockito.when(httpSession.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY))
+                .thenReturn(securityContext);
+        VaadinSession.setCurrent(vaadinSession);
+
+        vaadinAwareSecurityContextHolderStrategy.setContext(Mockito.mock(SecurityContext.class));
+        Assert.assertEquals(securityContext, vaadinAwareSecurityContextHolderStrategy.getContext());
+    }
+
+    @Test
+    public void detachedSessionWorks() {
+        VaadinSession vaadinSession = Mockito.mock(VaadinSession.class);
+        Mockito.when(vaadinSession.getSession()).thenReturn(null);
+        VaadinSession.setCurrent(vaadinSession);
+
+        SecurityContext explicit = Mockito.mock(SecurityContext.class);
+        vaadinAwareSecurityContextHolderStrategy.setContext(explicit);
+        Assert.assertEquals(explicit, vaadinAwareSecurityContextHolderStrategy.getContext());
+    }
+
+    @Test
+    public void explicitUsedWhenNoSessionAvailable() {
+        SecurityContext explicit = Mockito.mock(SecurityContext.class);
+        vaadinAwareSecurityContextHolderStrategy.setContext(explicit);
+        Assert.assertEquals(explicit, vaadinAwareSecurityContextHolderStrategy.getContext());
+    }
+}