Issues with blank screen when attempting to create a custom login page using Spring Security

NCIDevRonR · May 1, 2024, 4:44pm

I’m attempting to create a custom login page, as a first step to automating a header-based login process. When I test my login screen, it comes up blank.
My login looks like this:

public class LoginView extends VerticalLayout {

    public LoginView() {
        // Create UI components
        TextField username = new TextField("Username");
        PasswordField password = new PasswordField("Password");
        Button loginButton = new Button("Login");

        // Layout
        add(new H1("Please Login"), username, password, loginButton);
        setAlignItems(Alignment.CENTER);
        setSizeFull();

        // Login logic
        loginButton.addClickListener(event -> {
            try {
                // Attempt authentication
                SecurityUtils.authenticate(username.getValue(), password.getValue());
            } catch (Exception e) {
                Notification.show("Login failed");
            }
        });
    }
}

…and my security setup looks like this:

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/login").permitAll()
                .anyRequest().authenticated()
            .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
            .and()
                .logout()
                    .permitAll();
    }

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user").password("{noop}password").roles("USER");
    }

    // If using a custom form, we need to define the UserDetailsService
    @Override
    protected UserDetailsService userDetailsService() {
        return new InMemoryUserDetailsManager(
            User.withUsername("user")
                .password("{noop}password")
                .roles("USER")
                .build());
    }
}

Any ideas where I might be missing something?

knoobie · May 1, 2024, 5:09pm

Use the official security configuration provided by Vaadin if you don’t know what you are doing to ensure you don’t create a security nightmare.

NCIDevRonR · May 1, 2024, 6:33pm

I take it by this you mean I should use the loginForm with its “login” action, which forces the user to login using a typed-in user Id and password, and which hides how, where, and when the calls are being made. This is not an option for my team, because we are migrating from a working PrimeFaces application which uses values extracted from the request header to accomplish CAC-based user authentication. Are there no simple examples of a custom login view which doesn’t rely on a loginForm?

knoobie · May 1, 2024, 7:03pm

You have to read up spring security if it supports your type of security wish. But keep in mind to extend from the Vaadin class and furthermore extend that with your custom logic; otherwise all Vaadin internal communication is blocked and your app won’t work.

ollit.1 · May 2, 2024, 9:34am

One option would be not to use Spring Security, assuming it doesn’t support this kind of authentication. Then you have full control of how to implement your login process. You can still use the rest of the Spring framework. Vaadin has support for securing access without anything extra, you can find the documentation here: Securing Plain Java Applications | Advanced Security Topics | Security | Vaadin Docs