Allow unauthenticated users to access 404 view

I’ve set up vaadin with spring security with oauth2 using VaadinWebSecurity as a base for my security config. Everything works, except that a unauthenticated user gets redirect to the oauth2 provider when accessing a non-existing url
Are there some special settings I need to set in order for that to work?

I think the problem is with

// all other requests require authentication
urlRegistry.anyRequest().authenticated();

in the configure part of the VaadinWebSecurity class. Is there a way to skip this and have all the other configurations applied?

private void permitAllAnyRequests(HttpSecurity http) throws Exception {
    // this is an ugly workaround to permit all any requests
    // with this, RouteNotFoundView works without users being authenticated.
    var urlRegistry = http.authorizeRequests();
    ReflectionUtils.doWithFields(AbstractRequestMatcherRegistry.class, field -> {
        field.setAccessible(true);
        field.setBoolean(urlRegistry, false);
    }, field -> field.getName().equals("anyRequestConfigured"));
    http.authorizeRequests().anyRequest().permitAll();
}

this is my current workaround but I don’t know if this has any side-effects

Everything works, except that a unauthenticated user gets redirect to the oauth2 provider when accessing a non-existing url

That is the expected behavior, answering with 403 and 404 depending on the existence of a page is a security problem

Oh okay I didn’t knew that. My App has some public part which should be accessible by anyone and I would like to present the user with a 404 page, regardless if he’s logged in or not. Can you explain why this would be a security problem?

Simple example: do you want people to know that they aren’t allowed to access /admin (403) and therefore presenting them the knowledge for free that you have a admin page? Instead of always returning 404

Is that the default way how VaadinWebSecurity handles not authorized users? Sending them a 404?

I mean, if a user is authenticated and tries to access a url that is not existing, he would see a 404 error page, so why not show not authenticated users the same page if they can sign up for an account. Or am I misunderstanding something?

That’s the default how spring security works :slightly_smiling_face: VaadinWebSecurity just uses the spring security mechanism

Alright, thanks for explaining :slightly_smiling_face:

Reopening this because I forgot to mention that the RouteNotFoundError from Vaadin is annoated with @AnonymousAllowed. Shouldn’t this automatically override springs security behaviour?

Educated guess: Spring’s mechanism is triggered it open for example /unknownurl from the browser and Vaadin’s behavior is triggered if you have already loaded a Vaadin application and use e.g. a router link to show a not allowed view

Your guess is correct, I tested it. I’ll just keep my workaround then. Seems a bit weird in my opinion.