How can I prevent a PING request from being sent in my Vaadin application before the user logs in?

Here’s the chronological sequence of events:

  • The initial URL of the Vaadin application is loaded.
  • The Wildfly Elytron HTTP OIDC submodule intercepts the request.
  • It recognizes that the request is unauthenticated and sends a redirect to the SSO server (Keycloak).
  • Subsequently, the browser sends another request. This is seen in the network log as a POST request with a “PING” type and a query parameter "?v-r=uidl."
  • This new request generates a fresh “state” parameter.
  • After a successful login to Keycloak, the application attempts to redirect back to it, but the initial “state” parameter and the newly generated “state” parameter don’t match.
  • As a result, the HTTP 400 Bad Request occurs.

I’m looking for a way to prevent this PING request in Vaadin, specifically before the user logs in, to avoid this problem. Any guidance or suggestions would be greatly appreciated.

I implemented an AuthenticationFilter in my web application using the @WebFilter. Here’s the code snippet for the filter:

@WebFilter(urlPatterns = "/*")
public class AuthenticationFilter implements Filter {

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;

        if (httpRequest.getUserPrincipal() == null) {
             ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
        chain.doFilter(request, response);

However, when I was debugging, I noticed that the POST request I’m specifically concerned about never seems to reach this filter.

Might be related to

Only thing that comes me to mind is to create the public entry point without Vaadin or enforce redirect to your IDP before Vaadin could handle any request, e.g. with a security chain that is in front of Vaadin, like Spring Security.