Access a url outside vaadin security

I start a new vaadin project with springboot with the vaadin-spring-security login.

But Now I need to create one REstController to grant access to one cliente.

So I goes to my applicatio.yml and put

launch-browser: true
whitelisted-packages: com.vaadin,org.vaadin,dev.hilla
exclude-urls: /api/**

Then I create one RestController just like this:

public class SeloController {

private final SeloEletronicoMapper seloEletronicoMapper;
private final AtualizarSeloEletronicoGateway atualizarSeloEletronicoGateway;

public SeloController(SeloEletronicoMapper seloEletronicoMapper, AtualizarSeloEletronicoGateway atualizarSeloEletronicoGateway) {

public void atualizar(@RequestBody List<SeloEletronicoVO> selos){


In my SecutiryConfiguration I put this:

public class SecurityConfiguration extends VaadinWebSecurity {
private final TokenProvider authenticationProvider;

protected void configure(HttpSecurity http) throws Exception {
    http.addFilterBefore(new TenantFilter(), UsernamePasswordAuthenticationFilter.class);

    http.authorizeHttpRequests(authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/api/**")).permitAll());

            authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/images/*.png")).permitAll());
    // Icons from the line-awesome addon
    http.authorizeHttpRequests(authorize -> authorize
            .requestMatchers(new AntPathRequestMatcher("/line-awesome/**/*.svg")).permitAll());

    setLoginView(http, LoginView.class);


But When I Try to access the URL I got this:

I already try to remove the line from SecurityConfiguration but without success too
message.txt (5.54 KB)

You have probably to disable CSRF for the API

http.csrf(csrf -> csrf.ingnoringRequestMatcher(new AntPathRequestMatcher("/api/**")));

before calling super.configure(http)

BTW, you can enable debug level for logger to troubleshoot such issues


@versatile-zorse did u know how can I return an erro to client? today he returns an Http 200 but with the content just like the message.txt file… tks

Are you talking about your RestController? I would probably use a ResponseEntity