Directory

Spring Boot Security for Vaadin - Vaadin Add-on Directory

Security for Vaadin applications based on Spring Boot Security Spring Boot Security for Vaadin - Vaadin Add-on Directory
This add-on serves as glue between Vaadin and Spring Boot Security with the goal of bringing both worlds together as seamlessly as possible. The URL-based security of Spring is replaced with annotations directly on your Vaadin views and endpoint methods. Access rules can be defined using expressions, like `hasRole('ADMIN')` or any Java code. Its features mainly focus on two areas: * **Authentication:** You configure most parts of your Spring Security filter chain (AuthenticationManager, AuthenticationProviders, UserDetailsService, remember-be authentication, etc.) in your WebSecurityConfigurerAdapter as you would otherwise. This add-on will (by default) configure the form login and logout and wrap them in a simple Java (i.e. server-side) API. This API can be used in your login view to which the user will be automatically forwarded. This allows you to stay completely in Java and Vaadin; no HTML login page or URL redirection necessary. But authentication can also be completely customized to use Web SSO mechanisms instead. See the project page for links to examples like Keycloak and Kerberos. * **Access control:** Access control works for views and [endpoints](https://vaadin.com/docs/current/flow/typescript/accessing-backend.html) using annotations. Access rules are defined using [Spring Security expressions](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-access) or custom Java code for more advanced requirements. There's also a Java API to facilitate fine-grained control within your views and endpoints, so it is e.g. possible to also have publicly accessible views with partially restricted content. Access rules for routes can also be changed at runtime. **For more details on how to use this add-on, please see the [project page](https://gitlab.com/codecamp-de/vaadin-security-spring) and/or take a look at the [source code of the demo application](https://gitlab.com/codecamp-de/vaadin-security-spring-demo).** Please let me know if you're successfully using this add-on. Otherwise let me know what doesn't work for you; there's always room for improvement.
Source Code
Demo Project
Javadoc

Spring Boot Security for Vaadin version 0.9.0

Spring Boot Security for Vaadin version 0.9.1
This addon no longer triggers Spring Boot's ValidationAutoConfiguration. You no longer have to add *spring-boot-starter-validation* if you don't already need it for other reasons.

Spring Boot Security for Vaadin version 0.9.2
Some fixes and improvements under the hood. Should work with Vaadin 17 now.

Spring Boot Security for Vaadin version 0.9.3
* Authentication result handling is now customizable. * Access rules can now be set dynamically (along the lines of `RouteConfiguration`). * **A few classes have been renamed to be more fitting or concise.** This might cause a few minor compile errors that should be very easy to fix.

Spring Boot Security for Vaadin version 0.9.4
Authentication has been reworked to generally support Web SSO scenarios. See demo application for [example using Keycloak](https://gitlab.com/codecamp-de/vaadin-security-spring-demo/-/tree/keycloak).

Spring Boot Security for Vaadin version 0.9.5
- Fix URL issues for standard authentication when using reverse proxies. - Handlers have a better default order. Default handlers now provide constants with their order. Use them instead of magic numbers like `Ordered.LOWEST_PRECEDENCE - 1`. - Other internal improvements.

Spring Boot Security for Vaadin version 1.0.0
Added support for Vaadin endpoints. Routes and endpoints can now be secured in excatly the same way, while still allowing access to the specifics of each case when necessary. The necessary rework makes this version backwards incompatible, though the changes are not major. @SecuredRoute is now @SecuredAccess; the rest should be easier to figure out.

Spring Boot Security for Vaadin version 2.1.1
- Supports and requires Vaadin 20+ now. - Check access to views without navigating there: `VaadinSecurity#hasAccessTo(...)` - CSRF protection no longer completely disabled. Only selectively for Vaadin-related requests.

Spring Boot Security for Vaadin version 2.2.0
- Support Vaadin 21.

Spring Boot Security for Vaadin version 2.2.1
- Fix error when no Fusion @Endpoint is present in the application.

Spring Boot Security for Vaadin version 2.3.0
Support Vaadin 22.

Spring Boot Security for Vaadin version 3.0.2
Supports (and requires) Vaadin 23.

Spring Boot Security for Vaadin version 3.1.0
- `SecurityContextHolder` is now configured to be Vaadin-aware. `VaadinSecurity#getAuthentication(...)` is obsolete now. - Support for Spring Boot 2.7's deprecation of `WebSecurityConfigurerAdapter`. Configuring a `SecurityFilterChain` no longer leads to an error.

Spring Boot Security for Vaadin version 3.1.2
- Restore old behavior of VaadinSecurityConfigurerAdapter (to restore the old order of things). - Workaround for missing authentication during AuthenticationChangeEvent.

Spring Boot Security for Vaadin version 4.0.0
- Supports and requires Vaadin 24.

Spring Boot Security for Vaadin version 4.0.1

Spring Boot Security for Vaadin version 4.0.2

Spring Boot Security for Vaadin version 4.0.3