How to disable Vaadin login component for certain pages?

I am trying to use the Vaadin login component, from the provided Bakery example. In a real application some pages do nod need authentication, so I modified your example to allow “other” pages (/o/**) as anonymous adding the following line to SecurityConfiguration:


                ...
				// Restrict access to our application.
				.and().authorizeRequests()
				.antMatchers("/o/**").permitAll()  // <-----------------< ADDED THIS LINE

				// Allow all flow internal requests.
				.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
				...

But I still get the login page. Can anybody explain why, and how can I avoid login to certain pages?

Debugging the security configuration I see a hearthbeat post that can have triggered the login request:


Request received for POST '/?v-r=heartbeat&v-uiId=34':

org.apache.catalina.connector.RequestFacade@68ce37bb

servletPath:/
pathInfo:null
headers: 
host: localhost:8080
connection: keep-alive
content-length: 0
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
content-type: text/plain; charset=utf-8
accept: */*
origin: http://localhost:8080
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: http://localhost:8080/o/mypizza
accept-encoding: gzip, deflate, br
accept-language: en,it;q=0.9,pt;q=0.8,en-US;q=0.7
cookie: JSESSIONID=7E7B1F5DA0C84D5ACB8E4A386BDED907


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************



P.S. The login page is activated ONLY if I access a view (route) managed by vaadin. I tested a plain page (tiny servlet):

@WebServlet(urlPatterns = "/o/hello", name = "Hello")
public class HelloServlet extends HttpServlet {

  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setContentType("text/plain");
    resp.getWriter().println("Hello");
    resp.getWriter().close();
  }
}

and it can be accessed without login when pointing the nrowser to /o/hello.

You need to return true in SecurityUtils.isAccessGranted or otherwise modify the beforeEnterListener being added in ConfigureUIServiceInitListener

Thank you very much Tulio for the fast reply, it works fine now after patching ConfigureUIServiceInitListener:

	private void beforeEnter(BeforeEnterEvent event) {
		boolean accessGranted = event.getLocation().getPath().startsWith("o/") ||
		    SecurityUtils.isAccessGranted(event.getNavigationTarget());
		if (!accessGranted) {
		...

But, out of curiosity, is not SecurityUtils performing access control that would (in theory) have to be managed by Spring through SecurityConfiguration? Not a problem, just to understand if the access logic can be carried out by Spring Security or coded in the application.

Am I doing something wrong?

You are not doing anything wrong. The way Vaadin navigation works is that when you navigate to “/o/hello”, you don’t actually make a request to that URL, the navigation is done internally. Therefore Spring Security can not intercept it.

Thanks again. All explained now.