Getting Access Denied for all routes with PermitAll() in Vaadin 24 and Azure SSO

Flow
1

Hi all,
Just posted this in StackOverflow but then saw there was a discord server also - so I’m posting here also if that’s OK? (Please remove if not)

I’m trying to get Azure SSO working with a Vaadin app. I have been reading the docs but I’m still doing something wrong as I’m getting the Access Denied page with the message.

Could not navigate to '' 
Reason: Access is denied by annotations on the view.

Available routes:

... All my pages are the same.

I have configured my application.properties with the relevant data:

spring.security.oauth2.client.provider.azure.issuer-uri=https://login.microsoftonline.com/[TENANT ID]/v2.0
spring.security.oauth2.client.registration.[MY APP].provider=azure
spring.security.oauth2.client.registration.[MY APP].client-id=[CLIENT ID]
spring.security.oauth2.client.registration.[MY APP].client-secret=4[CLIENT SECRET]
spring.security.oauth2.client.registration.[MY APP].scope=profile,openid,email

I have got to my SSO page and logged in and then when the redirect happens I get the error.

I have also got the dependency in my build.gradle file:

implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'

I have defined the Security Config as follows:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {
   @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth ->
            auth.requestMatchers(
                AntPathRequestMatcher.antMatcher("/**")).permitAll());
        super.configure(http);
    }
}

And at the top of my views I have, for example the default route:

@Route(value = "", layout = MainLayout.class)
@PageTitle("Home")
@PermitAll

Any idea what I’m missing here?

2 
http.authorizeHttpRequests(auth ->
            auth.requestMatchers(
                AntPathRequestMatcher.antMatcher("/**")).permitAll());

with this configuration you are telling Spring Security that all resources are public, so it will not redirect to the identiy provider
But then you have @PermitAll on your views, that in Vaadin means access is granted only to authenticated users

3

You should probably remove that request matcher, and annotate your public Vaadin views with @AnonymousAllowed

4

OK - So I’ve left everything else as is and just commented out the code above and now all I get is

This page isn’t workingIf the problem continues, contact the site owner.
HTTP ERROR 401

and if I inspect the page I see “Failed to load resource: the server responded with a status of 401 ()”
Even more confused now

5

I don’t have any public pages, just pages that are protected with @PermitAll

6

The reason I went down the SecurityConfig route is that without that class I’m getting Server returned 403 for xhr due to using SpringBoot and Vaadin so I though the security config was the piece I was missing.

7

It looks like you are missing the oauth2Login configuration in SecurityConfig class.
https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-provide-securityfilterchain-bean

8

Ahh - thanks a million - I’ll try that - I have to run for my train now but I’ll try that as soon as I get a chance !!

9

Thanks !!

10

Here’s an example for Google OAuth2, but the Vaadin parts should work fine also for Azure

11

Still no luck @versatile-zorse
I changed it to

        http
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2Login(Customizer.withDefaults());

        super.configure(http);
    }

But now I’m getting

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'VaadinSecurityFilterChainBean' defined in class path resource [com/merative/logicnua/security/SecurityConfig.class]: Failed to instantiate [org.springframework.security.web.SecurityFilterChain]: Factory method 'filterChain' threw exception with message: Can't configure requestMatchers after anyRequest

If I remove .oauth2Login(Customizer.withDefaults()); from the above code I get the same also

I also tried moving the super.configure(http) as the first line and that gives

Factory method 'filterChain' threw exception with message: Can't configure anyRequest after itself
12

I then realised that the code you sent is part of a SecurityChainFIlter Bean so I changed that and removed the configure method:

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2Login(Customizer.withDefaults());
        return http.build();
    }

And I’m back to the XFR error

13

Go back to Marcos Code based on the Vaadin class and remove the anyRequest matcher.

14

Sorry @quirky-zebra - don’t quite follow you

15

Do you mean this line?

16 
            .authorizeHttpRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2Login(Customizer.withDefaults());
17

I can’t just remove the anyRequest matcher - I need to call something to authorize

18

I can try a matcher pattern

19

If I change it to

        http
            .authorizeHttpRequests(authorize -> authorize
                .requestMatchers(
                AntPathRequestMatcher.antMatcher("/**")).authenticated()
            )
            .oauth2Login(Customizer.withDefaults());

        super.configure(http);
    }

I get straight in to my pages with no auth request to SSO - even in an incognito browser tab

20

And the google code linked does not really help with as I the method used http.oauth2Login() is deprecate and If I use it with a defaultCustonizer I get to any page with no login request