Access a url outside vaadin security

jazzy-jackal · December 11, 2023, 1:01pm

I start a new vaadin project with springboot with the vaadin-spring-security login.

But Now I need to create one REstController to grant access to one cliente.

So I goes to my applicatio.yml and put

vaadin:
launch-browser: true
whitelisted-packages: com.vaadin,org.vaadin,dev.hilla
exclude-urls: /api/**

Then I create one RestController just like this:

@RestController
public class SeloController {

private final SeloEletronicoMapper seloEletronicoMapper;
private final AtualizarSeloEletronicoGateway atualizarSeloEletronicoGateway;

public SeloController(SeloEletronicoMapper seloEletronicoMapper, AtualizarSeloEletronicoGateway atualizarSeloEletronicoGateway) {
 ...
}

@PostMapping("/api/selo")
public void atualizar(@RequestBody List<SeloEletronicoVO> selos){
    atualizarSeloEletronicoGateway.atualizarSeloEletronico(seloEletronicoMapper.fromVOS(selos));
}

}

In my SecutiryConfiguration I put this:

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
private final TokenProvider authenticationProvider;

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(new TenantFilter(), UsernamePasswordAuthenticationFilter.class);

    http.authorizeHttpRequests(authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/api/**")).permitAll());


    http.authorizeHttpRequests(
            authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/images/*.png")).permitAll());
    // Icons from the line-awesome addon
    http.authorizeHttpRequests(authorize -> authorize
            .requestMatchers(new AntPathRequestMatcher("/line-awesome/**/*.svg")).permitAll());

    super.configure(http);
    setLoginView(http, LoginView.class);
}

}

But When I Try to access the URL I got this:

I already try to remove the line from SecurityConfiguration but without success too

message.txt (5.54 KB)

marcoc_753 · December 11, 2023, 3:10pm

You have probably to disable CSRF for the API

http.csrf(csrf -> csrf.ingnoringRequestMatcher(new AntPathRequestMatcher("/api/**")));

marcoc_753 · December 11, 2023, 3:11pm

before calling super.configure(http)

marcoc_753 · December 11, 2023, 3:12pm

BTW, you can enable debug level for org.springframework.security logger to troubleshoot such issues

jazzy-jackal · December 11, 2023, 7:21pm

works…tks

jazzy-jackal · December 12, 2023, 6:20pm

@versatile-zorse did u know how can I return an erro to client? today he returns an Http 200 but with the content just like the message.txt file… tks

marcoc_753 · December 12, 2023, 6:37pm

Are you talking about your RestController? I would probably use a ResponseEntity
https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-controller/ann-methods/responseentity.html