How do I set a custom AuthenticationProvider when using VaadinWebSecurity?

Flow
1

We use a custom authentication and authorisation library and for that to work I always used to set the AuthenticationProvider via the AuthenticationManagerBuilder like so:

    protected void configure(AuthenticationManagerBuilder auth) {
     auth.eraseCredentials(true).authenticationProvider(customAuthenticationProvider());
    }```
However, now that I upgraded from Vaadin 14 to 23.3 this won't work anymore as I get a nondescript error once I navigate to the application. I therefore decided to use `VaadinWebSecurity` as explained here (https://vaadin.com/docs/latest/security/enabling-security/#spring-security-dependencies) to get it working. But when I extend  `VaadinWebSecurity` I can't set the `AuthenticationProvider` as I did before because there is no `protected void configure(AuthenticationManagerBuilder auth)` to override in  `VaadinWebSecurity`. 
Does anyone know of a different way to set it? Thanks!
2

You can do something like this: https://www.baeldung.com/spring-security-authentication-provider

@Configuration
@EnableWebSecurity
@ComponentScan("com.baeldung.security")
public class SecurityConfig {

    @Autowired
    private CustomAuthenticationProvider authProvider;

    @Bean
    public AuthenticationManager authManager(HttpSecurity http) throws Exception {
        AuthenticationManagerBuilder authenticationManagerBuilder = 
            http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.authenticationProvider(authProvider);
        return authenticationManagerBuilder.build();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .httpBasic();
        return http.build();
    }

}
3

Basically, you just need to provide a suitable @Bean method that provides you the authentication manager or user details service, Spring Security can take it into use automatically

4

Thanks to the both of you, I wasn’t aware of those approaches! :slightly_smiling_face:

5

I am new to Vaadin and have a similar question: is there a good tutorial on how to use da database backed login/authentication instead of using a InMemoryUserDetailsManager?
https://vaadin.com/docs/latest/tutorial/login-and-authentication

6

You can download a project in start.vaadin.com (with authentication activated) and use the securityconfiguration. It uses by default the database

7

(Or here for example: actuator-vaadin/src/main/java/com/example/application/security at d1f2981c9acb78f902d2082ad60e2fa730e5d76e · jcgueriaud1/actuator-vaadin · GitHub)

8

If you don’t configure the userService in the SecurityConfiguration, it will look for a bean that implements UserDetailsService like this:

9

It’s a bit magic (i.e. the code inside spring security is awfully complex :smiling_face_with_tear: )

10

Thank you for the fast response! I downloaded a start.vaadin-project and had a look on it: i think it is what i was looking for. Thank you!