Define an URL into the whitelist

watt-lee · September 18, 2025, 11:23am

In the sample code below:

@EnableWebSecurity
@Configuration
@Import({ VaadinAwareSecurityContextHolderStrategyConfiguration.class })
@ConditionalOnMissingBean(ControlCenterSecurityConfig.class)
class DevSecurityConfig {
...
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {

        return http.with(VaadinSecurityConfigurer.vaadin(), configurer -> configurer.loginView(DevLoginView.LOGIN_PATH))
                .authorizeHttpRequests(e -> e.requestMatchers("/sse").permitAll())
            .build();
    }
...
}

Accessing http://localhost:8080/sse, it navigates http://localhost:8080/dev-login firstly, then reports Could not navigate to ‘sse’.

Dose anyone know how to define /sse into the whitelist? so the URL can be accessed directly.

Thanks in advance.

marcoc_753 · September 18, 2025, 11:53am

Not sure if it will fix the issue, but if you expose your own security chain using VaadinSecurityConfigurer (as you should do ) your configuration class must not extend VaadinWebSecurity otherwhise you end up with two potentially conflicting filter chains.

watt-lee · September 18, 2025, 12:50pm

You are right. After VaadinWebSecurity is removed, it still dose not work.

marcoc_753 · September 18, 2025, 1:14pm

Have you alredy try to move the /sse authorization rule before the with(vaadin(), ..)?

watt-lee · September 19, 2025, 3:21pm

Doesn’t work after do as you described.

marcoc_753 · September 19, 2025, 3:50pm

Can you share a project that reproduces the issue?

watt-lee · September 22, 2025, 8:27am

Please follow the steps to reproduce the issue, because the project couldn’t be attached with the post:

create a security project and download it (vaadin version latest: 24.9.0, my version: 24.8.4).
add a MCP server WeatherService:

package com.example.application.mcp;


import org.springframework.ai.tool.annotation.Tool;
import org.springframework.stereotype.Service;

@Service
public class WeatherService {

    @Tool(name = "getWeather", description = "Get weather information by city name")
    public String getWeather(String cityName) {
        // Implementation
        return "Weather information for " + cityName;
    }

    @Tool(name = "getPMI", description = "Get PMI information by city name")
    public String getPMIr(String cityName) {
        // Implementation
        return "PMI information for " + cityName;
    }
}

modify Application.java:

@SpringBootApplication
@Theme(value = "my-app")
public class Application implements AppShellConfigurator {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Bean
    public ToolCallbackProvider weatherTools(WeatherService weatherService) {
        return MethodToolCallbackProvider.builder().toolObjects(weatherService).build();
    }
}

add mcp dependency in pom.xlm:

        <dependency>
            <groupId>org.springframework.ai</groupId>
            <artifactId>spring-ai-starter-mcp-server-webflux</artifactId>
            <version>1.0.0-M7</version>
        </dependency>

run the project. Log info ‘Registered tools: 2, notification: true’ is printed out in console.
access http://localhost:8080/sse, the issue could be reproduced.
If no issue, it will return message like:
event:endpoint data:/mcp/message?sessionId=ef575c6c-6cf6-45ba-b076-38d26c5b7d57

Actually I would like to integrate the vaadin project with a MCP server. If you leave your email, I could send the project to you.

Thanks for your patient and your help.

marcoc_753 · September 22, 2025, 9:15am

It looks like to me that mixing servlet and webflux might could be an issue.
I created a project by following the provided steps but used the following dependencies

        <dependency>
            <groupId>org.springframework.ai</groupId>
            <artifactId>spring-ai-starter-mcp-server-webmvc</artifactId>
            <version>1.0.0-M7</version>
        </dependency>

EDIT: Only the spring-ai-starter-mcp-server-webmvc dependency is needed.

With this setup and adding the requestMatchers("/sse").permitAll() rule in security configuration, I’m able to access the sse endpoint without the login page being shown.

watt-lee · September 22, 2025, 9:31am

Great! it works. Thank you very much.

watt-lee · September 24, 2025, 11:29am

Fail to connect the sever with a MCP client, so I create another post to follow the issue. Hope you could have the solution once again.