Method Details

• filterChain

  @Bean(name="VaadinSecurityFilterChainBean") public org.springframework.security.web.SecurityFilterChain filterChain(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception

  Registers default SecurityFilterChain bean.

  Defines a filter chain which is capable of being matched against an HttpServletRequest. in order to decide whether it applies to that request.

  HttpSecurity configuration can be customized by overriding configure(HttpSecurity).

  Throws:

  Exception

• getAuthenticationContext

  @Bean(name="VaadinAuthenticationContext") public AuthenticationContext getAuthenticationContext()

  Gets the default authentication-context bean.

  Returns:

  the authentication-context bean

• configure

  protected void configure(org.springframework.security.config.annotation.web.builders.HttpSecurity http) throws Exception

  Applies Vaadin default configuration to HttpSecurity. Typically, subclasses should call super to apply default Vaadin configuration in addition to custom rules.

  Parameters:

  http - the HttpSecurity to modify

  Throws:

  Exception - if an error occurs

• webSecurityCustomizer

  @Bean(name="VaadinWebSecurityCustomizerBean") public org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer webSecurityCustomizer()

  Registers default WebSecurityCustomizer bean.

  Beans of this type will automatically be used by WebSecurityConfiguration to customize WebSecurity.

  WebSecurity configuration can be customized by overriding configure(WebSecurity)

  Default no WebSecurity customization is performed.

• configure

  protected void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) throws Exception

  Throws:

  Exception

• enableNavigationAccessControl

  protected boolean enableNavigationAccessControl()

  Gets if navigation access control should be enabled. Navigation access control is enabled by default. This method can be overridden returning false to disable it.

  Returns:

  true if navigation access control should be enabled, false to disable it.

• getDefaultHttpSecurityPermitMatcher

  public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher()

  Matcher for framework internal requests. Assumes Vaadin servlet to be mapped on root path (/*).

  Returns:

  default HttpSecurity bypass matcher

• getDefaultHttpSecurityPermitMatcher

  public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultHttpSecurityPermitMatcher(String urlMapping)

  Matcher for framework internal requests, with Vaadin servlet mapped on the given path.

  Parameters:

  urlMapping - url mapping for the Vaadin servlet.

  Returns:

  default HttpSecurity bypass matcher

• getDefaultWebSecurityIgnoreMatcher

  public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher()

  Matcher for Vaadin static (public) resources. Assumes Vaadin servlet to be mapped on root path (/*).

  Returns:

  default WebSecurity ignore matcher

• getDefaultWebSecurityIgnoreMatcher

  public static org.springframework.security.web.util.matcher.RequestMatcher getDefaultWebSecurityIgnoreMatcher(String urlMapping)

  Matcher for Vaadin static (public) resources, with Vaadin servlet mapped on the given path. Assumes Vaadin servlet to be mapped on root path (/*).

  Parameters:

  urlMapping - the url mapping for the Vaadin servlet

  Returns:

  default WebSecurity ignore matcher

• antMatchers

  public org.springframework.security.web.util.matcher.RequestMatcher[] antMatchers(String... patterns)

  Utility to create RequestMatchers from ant patterns.

  Parameters:

  patterns - ant patterns

  Returns:

  an array or RequestMatcher instances for the given patterns.

• routeMatchers

  public org.springframework.security.web.util.matcher.RequestMatcher[] routeMatchers(String... patterns)

  Utility to create RequestMatchers for a Vaadin routes, using ant patterns and HTTP get method.

  Parameters:

  patterns - ant patterns

  Returns:

  an array or RequestMatcher instances for the given patterns.

• setLoginView

  protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath) throws Exception

  Sets up login for the application using form login with the given path for the login view.

  This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  hillaLoginViewPath - the path to the login view

  Throws:

  Exception - if something goes wrong

• setLoginView

  protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String hillaLoginViewPath, String logoutSuccessUrl) throws Exception

  Sets up login for the application using form login with the given path for the login view.

  This is used when your application uses a Hilla based login view available at the given path. NOTE: if the login path points to a Flow view, the corresponding java class must be annotated with @AnonymousAllowed to ensure that the view is always accessible.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  hillaLoginViewPath - the path to the login view

  logoutSuccessUrl - the URL to redirect the user to after logging out

  Throws:

  Exception - if something goes wrong

• setLoginView

  protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView) throws Exception

  Sets up login for the application using the given Flow login view.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  flowLoginView - the login view to use

  Throws:

  Exception - if something goes wrong

• setLoginView

  protected void setLoginView(org.springframework.security.config.annotation.web.builders.HttpSecurity http, Class<? extends Component> flowLoginView, String logoutSuccessUrl) throws Exception

  Sets up login for the application using the given Flow login view.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  flowLoginView - the login view to use

  logoutSuccessUrl - the URL to redirect the user to after logging out

  Throws:

  Exception - if something goes wrong

• setOAuth2LoginPage

  protected void setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage) throws Exception

  Sets up the login page URI of the OAuth2 provider on the specified HttpSecurity instance.

  This method also configures a logout success handler that redirects to the application base URL after logout.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.

  Throws:

  Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

• setOAuth2LoginPage

  protected void setOAuth2LoginPage(org.springframework.security.config.annotation.web.builders.HttpSecurity http, String oauth2LoginPage, String postLogoutRedirectUri) throws Exception

  Sets up the login page URI of the OAuth2 provider and the post logout URI on the specified HttpSecurity instance.

  The post logout redirect uri can be relative or absolute URI or a template. The supported uri template variables are: {baseScheme}, {baseHost}, {basePort} and {basePath}.

  NOTE: "{baseUrl}" is also supported, which is the same as "{baseScheme}://{baseHost}{basePort}{basePath}" handler. setPostLogoutRedirectUri("{baseUrl}");

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  oauth2LoginPage - the login page of the OAuth2 provider. This Specifies the URL to send users to if login is required.

  postLogoutRedirectUri - the post logout redirect uri. Can be a template.

  Throws:

  Exception - Re-throws the possible exceptions while activating OAuth2LoginConfigurer

• oidcLogoutSuccessHandler

  protected org.springframework.security.web.authentication.logout.LogoutSuccessHandler oidcLogoutSuccessHandler(String postLogoutRedirectUri)

  Gets a OidcClientInitiatedLogoutSuccessHandler instance that redirects to the given URL after logout.

  If a ClientRegistrationRepository bean is not registered in the application context, the method returns null.

  Parameters:

  postLogoutRedirectUri - the post logout redirect uri

  Returns:

  a OidcClientInitiatedLogoutSuccessHandler, or null if a ClientRegistrationRepository bean is not registered in the application context.

• setStatelessAuthentication

  protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer) throws Exception

  Sets up stateless JWT authentication using cookies.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name

  issuer - the issuer JWT claim

  Throws:

  Exception - if something goes wrong

• setStatelessAuthentication

  protected void setStatelessAuthentication(org.springframework.security.config.annotation.web.builders.HttpSecurity http, SecretKey secretKey, String issuer, long expiresIn) throws Exception

  Sets up stateless JWT authentication using cookies.

  Parameters:

  http - the http security from filterChain(HttpSecurity)

  secretKey - the secret key for encoding and decoding JWTs, must use a MacAlgorithm algorithm name

  issuer - the issuer JWT claim

  expiresIn - lifetime of the JWT and cookies, in seconds

  Throws:

  Exception - if something goes wrong

• applyUrlMapping

  protected String applyUrlMapping(String path)

  Helper method to prepend configured servlet path to the given path. Path will always be considered as relative to servlet path, even if it starts with a slash character.

  Parameters:

  path - path to be prefixed with servlet path

  Returns:

  the input path prepended by servlet path.

• getViewAccessChecker

  @Deprecated(forRemoval=true, since="24.3") protected ViewAccessChecker getViewAccessChecker()

  Deprecated, for removal: This API element is subject to removal in a future version.

  ViewAccessChecker is not used anymore by VaadinWebSecurity, and has been replaced by NavigationAccessControl. Calling this method will get a stub implementation that delegates to the NavigationAccessControl instance.

  Vaadin views access checker bean.

  This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call ViewAccessChecker methods explicitly.

  Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

  Returns:

  ViewAccessChecker bean used by this VaadinWebSecurity configuration.

• getNavigationAccessControl

  protected NavigationAccessControl getNavigationAccessControl()

  Vaadin navigation access control bean.

  This getter can be used in implementing class to override logic of VaadinWebSecurity.setLoginView methods and call NavigationAccessControl methods explicitly.

  Note that this bean is a field-autowired, thus this getter returns null when called from the constructor of implementing class.

  Returns:

  NavigationAccessControl bean used by this VaadinWebSecurity configuration.

• addLogoutHandlers

  protected void addLogoutHandlers(Consumer<org.springframework.security.web.authentication.logout.LogoutHandler> registry)

  Sets additional LogoutHandlers that will participate in logout process.

  Parameters:

  registry - used to add custom handlers.