Custom JWT Authentication Filter - 403 Error

Adfegecy · January 27, 2025, 8:15pm

Hello! Due to architectural constraints, I decided to write my custom jwt authentication without using VaadinWebSecurity, setLoginView; making it using cookies. But for some reason I get a blank page when trying to open the login page and opening the console in the browser I see “Failed to load resource: the server responded with a status of 403 ()”

My SecurityConfig:


    @Bean
    @Order(4)
    public SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .securityMatcher("/backoffice/**")
                .authorizeHttpRequests(auth -> auth
                        // These routes are available to everyone
                        .requestMatchers("/backoffice/login") 
                        .permitAll()
                        // Access for administrators
                        .requestMatchers("/backoffice/**")
                        .hasAnyAuthority(RoleName.ROLE_ADMIN.name())
                        .anyRequest().authenticated())
                .formLogin(formLogin -> formLogin
                        .loginPage("/backoffice/login").permitAll()
                        .defaultSuccessUrl("/backoffice", true))
                .logout(formLogout -> formLogout
                        .logoutUrl("/backoffice/logout")
                        .logoutSuccessUrl("/backoffice/login"))
                .csrf(AbstractHttpConfigurer::disable)
                // Adding jwt filter
                .addFilterBefore(jwtVaadinAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                // Turn off the session
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
        return http.build();
    }

Could it be the influence of the api setting with the authentication jwt that is on top?

How could this be fixed? please tell me.

Thanks for the help.

knoobie · January 27, 2025, 9:04pm

Using VaadinWebSecurity would help a lot otherwise you have to allow internal Vaadin communication to bypass your current security rules (which they don’t - see your first error v=r → 403)

SimonMartinelli · January 27, 2025, 9:15pm

Check out this post JWT authentication with Vaadin Flow - for better developer and user experience | Vaadin

Adfegecy · January 29, 2025, 1:29pm

Thanks for the reply, could you please, if you know, provide some links on how one would go about solving the problems associated with writing one’s own filter?

I’ve improved my security configuration a bit, but I’m having some problems with downloading files such as “http://127.0.0.1:8080/backoffice/?v-r=init&location=login&query=” or “http://127.0.0.1:8080/backoffice/?v-r=init&location=offline-stub.html&query=”

    @Bean
    @Order(3)
    public SecurityFilterChain vaadinSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .securityMatcher("/", "/backoffice/**",
                        "/backoffice/VAADIN/**", "/backoffice/frontend/**",
                        "/backoffice/static/**", "/backoffice/public/**", "/backoffice/resources/**")
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth -> auth
                        // Permit access to static resources and VAADIN
                        .requestMatchers("/backoffice/VAADIN/**", "/backoffice/frontend/**",
                                "/backoffice/static/**", "/backoffice/public/**", "/backoffice/resources/**").permitAll()
                        // Permit access to the login page
                        .requestMatchers("/backoffice/login/**").permitAll()
                        // The other requests are for admin only
                        .anyRequest().hasAuthority(RoleName.ROLE_ADMIN.name())
                .formLogin(formLogin -> formLogin
                        .loginPage("/backoffice/login").permitAll()
                        .defaultSuccessUrl("/backoffice/", true))
                .logout(formLogout -> formLogout
                        .logoutUrl("/backoffice/logout")
                        .logoutSuccessUrl("/backoffice/login"))
                // Adding JWT filter
                .addFilterBefore(jwtVaadinAuthenticationFilter, UsernamePasswordAuthenticationFilter.class)
                // Shutting down the session
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
        return http.build();
    }

knoobie · January 29, 2025, 2:57pm

I’m not keen enough to recommend a custom security configuration… I don’t wanna be liable you either use the provided VaadinWebSecurity class or you have to read its source code and duplicate some parts of it