Customizing REST session attributes

I need a way to limit access to Objects based on the Company it belongs to. Each User belongs to a Company but a Company can have multiple Users. Creating a separate Access Group for every single Company is not an option because there will be many Companies and several types of Objects. I solved this partly by extending the DefaultApp class and overriding the connectionStateChanged method to set a session attribute for the logged in User’s Company.

This works fine via the web(VAADIN) interface. But there is a problem when trying to access an Object via the REST interface, the session attributes for the User’s Company is simply not set as the method DefaultApp#connectionStateChanged is never called during an REST authentication. How am I supposed to add new session attributes during an REST authentication?

Fixed the issue by using a constraint as follows:

{E} = (select from sample_ExtUser u where = :session$userId)

Not very optimal but works.

You may try to handle the UserLoggedInEvent, get the UseSession from the event and set required attributes to the session there. See here.