Login redirects to: lumo-css-framework/all-classes.css?continue

Flow
1

Hello,
since I have updated vaadin from 24.3.5 to 24.5.0 I get redirected to lumo-css-framework/all-classes.css?continue which does not exist, after login and I need manually change the url. What can be the reason for this. In my secuity config I already added the successUrl, but that has not helped either.

http.formLogin(formLogin ->
                formLogin
                        .defaultSuccessUrl(ApplicationUrl.APP, true) // Redirect after successful login
        );

Can someone give me a hint?

Thanks, Florian

2

Hi,

VaadinWebSecurity exists to deal with this and a lot of similar issues. Are you using that?

3

Hi.
yes I am using VaadinWebSecurity.

@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {

    // Our custom authentication provider
    @Autowired
    private AppCustomAuthenticationProvider authProvider;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Define public resources, must be before super.configure()

        http.authorizeHttpRequests(auth -> {auth
                    //.requestMatchers(new AntPathRequestMatcher("/admin-only/**")).hasAnyRole("admin")
                    .requestMatchers(new AntPathRequestMatcher("/VAADIN/**")).permitAll()
                    .requestMatchers(new AntPathRequestMatcher("/services/**")).permitAll()
                    .requestMatchers(new AntPathRequestMatcher("/rest/**")).permitAll()
                    // Vaadin public view/resources
                    .requestMatchers(new AntPathRequestMatcher("/newstool/unregister/**")).permitAll()
                    .requestMatchers(new AntPathRequestMatcher("/public/dms/**")).permitAll()
        ;});

        http.formLogin(formLogin ->
                formLogin
                        .defaultSuccessUrl(ApplicationUrl.APP, true) // Redirect after successful login
        );

        super.configure(http);

        // This is important to register your login view to the
        // view access checker mechanism:
        setLoginView(http, LoginView.class);
    }

    /**
     * Exclude Vaadin-framework communication and static assets from Spring Security
     */
    @Override
    public void configure(WebSecurity web) throws Exception {
        // Configure your static resources with public access here:
        web.ignoring().requestMatchers(new AntPathRequestMatcher("/images/**"));

        // Delegating the ignoring configuration for Vaadin's
        // related static resources to the super class:
        super.configure(web);
    }
}

This is my VaadinWebSecurity class, has been created for Vaadin 23 but alway updated if necessary.

Thanks,
Florian

4

Spring Security (and VaadinWebSecurity) works so that it tracks what URL the browser is trying to access, it stores that URL and shows a login screen instead. After login, it then redirects you to that URL. So in your case, some part of your app is trying to load lumo-css-framework/all-classes.css which is denied by the security configuration. If this is recorded as the last request before the login request, it is where you will be redirected.

So the questions are:

  1. How are you loading that file? It apparently comes from GitHub - anezthes/lumo-css-framework: CSS framework for building web apps using Vaadin's Lumo theme
  2. Does loading of that file actually succeed when logged in or is it just some invalid loading code that happens to trigger the redirect after login?

Btw as the repository GitHub - anezthes/lumo-css-framework: CSS framework for building web apps using Vaadin's Lumo theme says, the utility classes have been integrated in Vaadin since Vaadin 21

5

The file was linked in the the css file @import url(‘lumo-css-framework/all-classes.css’); which I already removed. I already have deleted the generated folder in the frontend folder without any change. Teh file does not exists anymore, I get a 404 error when it redirected to it.

Thank you,
Florian