Vaadin @Push with Vaadin4Spring Security

[turgos]

Using Vaadin @Push with vaadin-spring-boot-starter and Vaadin4Spring Security throws exception.

Here is Vaadin related dependencies on our project:

  compile 'com.vaadin:vaadin-client-compiled:7.5.8'
  compile 'com.vaadin:vaadin-client:7.5.8'
  compile 'com.vaadin:vaadin-themes:7.5.8'
  compile 'com.vaadin:vaadin-server:7.5.8'
  compile 'com.vaadin:vaadin-push:7.5.8'

  // Official VaadinSpring Integration
  compile("com.vaadin:vaadin-spring-boot-starter:1.0.0")

  //Vaadin extentions - in the future more of those will go to official VaadinSpring Integration
  compile("org.vaadin.spring.extensions:vaadin-spring-ext-security:0.0.6.RELEASE")
  compile("org.vaadin.spring.extensions:vaadin-spring-ext-core:0.0.6.RELEASE")
  compile("org.vaadin.spring.extensions:vaadin-spring-ext-boot:0.0.6.RELEASE")
  compile("org.vaadin.spring.extensions:vaadin-spring-ext-test:0.0.6.RELEASE")

Here is the annotations on UI Class

@Theme("mytheme")
@Title(com.test.util.Constants.TITLE)
@EnableOAuth2Client
@SpringUI
@Push
public class MyVaadinUI extends UI {
...
}

And, Application.java ;

@EnableVaadinExtensions
@SpringBootApplication
@EnableConfigurationProperties
@EnableI18N
@EnableEventBus
@RestController
@EnableOAuth2Client
public class Application extends SpringBootServletInitializer {
  public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
  }

  @Override
  protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
    return application.sources(Application.class);
  }

  @Bean 
  public RequestContextListener requestContextListener(){
    return new RequestContextListener();
  } 

  @Bean
  public FilterRegistrationBean hiddenHttpMethodFilter() {
    HiddenHttpMethodFilter hiddenHttpMethodFilter = new HiddenHttpMethodFilter();
    FilterRegistrationBean registrationBean = new FilterRegistrationBean();
    registrationBean.setFilter(hiddenHttpMethodFilter);
    return registrationBean;
  }

  @Bean(name = "messageSource")
  public ResourceBundleMessageSource messageSource() {
    ResourceBundleMessageSource messageSource = new ResourceBundleMessageSource();
    messageSource.setBasename("messages/messages");
    logger.debug("Returning messageSource: " + ((messageSource != null) ? messageSource.toString() : "NULL"));
    return messageSource;
  }

}

As soon as we call
security.login(username.getValue(), password.getValue());
(security is org.vaadin.spring.security.VaadinSecurity;)

we get the below exception;

16:36:35.272 [http-nio-8080-exec-9] ERROR c.b.g.c.s.v.views.login.LoginBox/login Login ERROR occured during login.org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'scopedTarget.httpService': Scope 'request' is not active for the current thread; consider defining a scoped proxy for this bean if you intend to refer to it from a singleton; nested exception is java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request.

I appreciate any help you can provide.

[peholmst]

The root problem is that you are trying to access the HTTP request while using Websocket communication, during which no HTTP requests exist at all. I also noticed you are using version 0.0.6. The security part has been heavily redesigned in 0.0.7. May I suggest you try with the latest snapshot of Vaadin4Spring and see if the problem persists?

[eoliphan]

I had a similar issue. I've an app that's pretty close to the security-sample-shared. But the 'main' and login ui's had push enabled. After hitting the main URL, and being redirected to login I'd get a flurry of XHR calls to login. Removing @Push from the LoginUI seems to have fixed the problem.

[turgos]

Thank you both for your replies. As you suggested, I have upgraded to 0.0.7, separated the Login to different UI (so we have 2 Vaadin UIs, one for main application and one for the login) and removed the @Push from the LoginUI. To be more specific, I have changed it to Shared Security when upgraded to 0.0.7.

Here are few side effects /issues I have realized. I appreciate if you can comment on those.

a) It seems like after User login and redirected to MainUI, it is starting a new VaadinSession. It makes it not possible to share attributes between LoginUI and MainUI by getSession().setAttribute("myValue", value) and getSession().getAttribute("myValue")))
Do you see the similar issue?
b) We have many attributes captured on the login screen which we would like to pass to MainUI as part of the user session. Do we have to have a separate loginUI if we want to use Push? is there a way to have 1 VaadinUI, shared security and Push? if this is not possible, what is your suggestion on sharing the attributes between Login and MainUI?
Thank you in advance

[peholmst]

Here are some really quick answers, hope they help you in some way:
a) I think Spring creates a new session after authentication to protect against session fixation. That might be the reason why a new VaadinSession is also created.
b) See if you can tweak how Spring protects against session fixation. As for using push and a single UI, you could try to use the new WEBSOCKET_XHR push transport, which is a combination of websockets and basic HTTPs.

[robinMcMA]

Hello everyone,
I have the same problem but I don't understand how you can fix it with 2 Vaadin's UI. I'm beginner with the core of Vaadin framework.
If you make an other UI (one for app, one for push) you can't show a notification for example on your app?!
My push should be here to notice in realtime users about new notifications.
Did you find a way to get this?