Access denied for class with @PermitAll

Hilla
1

Hello. I amm trying to enable stateless authentication.
This is security config:

@RequiredArgsConstructor
@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {

	@Value("${app.auth.secret}")
	private String authSecret;

	private final PasswordHasher passwordHasher;

	@Bean
	public CustomPasswordEncoder passwordEncoder() {
		return new CustomPasswordEncoder(passwordHasher);
	}

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		super.configure(http);

		// Disable creating and using sessions in Spring Security
		http.sessionManagement()
				.sessionCreationPolicy(SessionCreationPolicy.STATELESS);

		// Register your login view to the view access checker mechanism
		setLoginView(http, "/login");

		// Enable stateless authentication
		setStatelessAuthentication(http,
				new SecretKeySpec(Base64.getDecoder().decode(authSecret),
						JwsAlgorithms.HS256),
				"com.example.application"
		);
	}
}

Authentication works fine. But when I marked all @Endpoint classes with @PermitAll I get error

{
    "message": "Endpoint 'UsersEndpoint' method 'getExtraFilters' request cannot be accessed, reason: 'Access denied to Vaadin endpoint; to enable endpoint access use one of the following annotations: @AnonymousAllowed, @PermitAll, @RolesAllowed'"
}

this is the method I am calling

	@PermitAll
	public List<EnumValueAndLabel<String>> getExtraFilters() {
		return usersService.getExtraFilters();
	}

Vaadin Hilla 24.7.0-alpha11

2

While debugging, I noticed that annotations are checked from different packages javax - jakarta:

image
image1325×730 95.3 KB

Is it a bug? I use import javax.annotation.security.PermitAll everywhere. Why it passes same annotation from jakarta package?

3

So, the solution is:
import jakarta.annotation.security.PermitAll;

1 Like