Hi, I try to exclude a path/rout (“/test”) from the login part.
I added the following code in the SecurityConfig
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
// Register our CustomRequestCache, that saves unauthorized access attempts, so
.requestCache().requestCache(new CustomRequestCache())
.and().authorizeRequests()
.antMatchers("/test").permitAll()
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest()
.authenticated()
// Configure the login page.
.and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
.failureUrl(LOGIN_FAILURE_URL)
// Register the success handler that redirects users to the page they last tried
// to access
.successHandler(new SavedRequestAwareAuthenticationSuccessHandler())
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
But nevertheless, the Login page pops up, when I try to open “/test”. What should I change in LoginView to get this work? I tried to change the “beforeEnter”-Method and checked for the active path (“/test”). I tried to set “setOpened(false)” but this doesn’t help the real way… and redirecting to my TestView ends up in a closed loop.
I don’t see anything wrong in your HttpSecurityConfiguration. Weird that it doesn’t work.
You could try another way though. In your WebSecurityConfigurerAdapter implementation class add your “/test” route to public void configure(WebSecurity web) method e.g.
//Routes configured here should be ignored by Spring Security
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/test");
}
//Routes configured here should be ignored by Spring Security
@Override
public void configure(WebSecurity web) {
web.ignoring().antMatchers("/test");
}
this doesn’t work neither. But the web.ignoring.antMatchers for Vaadin and co works…
My TestViewClass extends an AbstractPageTemplate with a Route (“test”).
Hm… have you test a Vaadin-project with such a Security-Configuration?
I think there is something strange in the ConfigureUIServiceInitListener-Class in the beforeEnter-Method…
Attempt to remove any previous workarounds you had until the websecurity method. In your first post you mentioned something about overriding beforeEnter method and a closed loop.
Some additional troubleshooting tips :
Are you sure you are using Vaadin’s @Route annotation and not some other library?
Does your AbstractPageTemplate extend Vaadin’s Component class e.g. Div or VerticalLayout?
Attempt to remove any previous workarounds you had until the websecurity method. In your first post you mentioned something about overriding beforeEnter method and a closed loop.
I removed the workaround in my LoginView.
Some additional troubleshooting tips :
Are you sure you are using Vaadin’s @Route annotation and not some other library?
Yes, I use import com.vaadin.flow.router.Route;
Does your AbstractPageTemplate extend Vaadin’s Component class e.g. Div or VerticalLayout?
My AbstractPageTemplate looks like
@Tag("main-page-view")
@JsModule("./src/views/main-page-view.js")
@JsModule("styles/shared-styles.js")
public abstract class AbstractPageTemplate extends PolymerTemplate<TemplateModel> {
@Id("content")
protected Div content;
@Id("footer")
protected Div footer;
public AbstractPageTemplate() {
//this.setContent(getContentLayout());
this.setFooter(getFooterDiv());
}
abstract protected Component getContentLayout() throws IOException;
public void setContent(Component component) {
this.content.removeAll();
this.content.add(component);
}
...
Seems ok as long as AppConst.PAGE_TEST = “test”. Hard to say then what is wrong since both configurations should work(the one in your first post and the websecurity workaround). What is the current behaviour without the workarounds when you try to navigate to “test”?
This is what I mentioned 7 posts before in “I think there is something strange in the ConfigureUIServiceInitListener-Class in the beforeEnter-Method…”
So, what’s a good workaround? Thank’s for your analytic help
/**
* Reroutes the user if she is not authorized to access the view.
*
* @param event
* before navigation event with event details
*/
private void beforeEnter(BeforeEnterEvent event) {
final boolean accessGranted = SecurityUtils.isAccessGranted(event.getNavigationTarget());
if(TestView.class.equals(event.getNavigationTarget())){
return;
}
if (!accessGranted) {
if (SecurityUtils.isUserLoggedIn()) {
event.rerouteToError(AccessDeniedException.class);
} else {
event.rerouteTo(LoginView.class);
}
}
}
/**
* Reroutes the user if she is not authorized to access the view.
*
* @param event
* before navigation event with event details
*/
private void beforeEnter(BeforeEnterEvent event) {
final boolean accessGranted = SecurityUtils.isAccessGranted(event.getNavigationTarget());
if(TestView.class.equals(event.getNavigationTarget())){
return;
}
if (!accessGranted) {
if (SecurityUtils.isUserLoggedIn()) {
event.rerouteToError(AccessDeniedException.class);
} else {
event.rerouteTo(LoginView.class);
}
}
}
There is still some problem with this kind of flow. I am trying to develop a forgotPasswordView which I do not want to be under authentication. by the first time of running application I can access it but in next round , No. Do you maybe have any solution?