I need a way to limit access to Objects based on the Company it belongs to. Each User belongs to a Company but a Company can have multiple Users. Creating a separate Access Group for every single Company is not an option because there will be many Companies and several types of Objects. I solved this partly by extending the DefaultApp class and overriding the connectionStateChanged method to set a session attribute for the logged in User’s Company.
This works fine via the web(VAADIN) interface. But there is a problem when trying to access an Object via the REST interface, the session attributes for the User’s Company is simply not set as the method DefaultApp#connectionStateChanged is never called during an REST authentication. How am I supposed to add new session attributes during an REST authentication?