Problem with getting POST parameters for a @AnonymousAllowed annotated view.

I built a vaadin starter application with a view that allows public access. The application also has views that require users to login. The public access view (hello) in this case takes x-www-form-urlencoded parameters through a POST method. The application is built using Vaadin 24.2 on the website and downloaded. The only change I made to the downloaded code is to

  • change the pom.xml file to build a WAR file.
  • Add an afterNavigation method to the helloWorld class to receive the POST parameters.
  • Modify the application.java file to extend the SpringBootServletInitializer

However, I cannot get the application to handle the POST parameters.

@SpringBootApplication @Theme(value = "testaccess") public class Application extends SpringBootServletInitializer implements AppShellConfigurator {
When I try to send a POST request from POSTMAN to the application I get the following in the log file.

01-11:56:50.377 [https-jsse-nio-8443-exec-5] TRACE o.s.s.w.FilterChainProxy.doFilter - Invoking HeaderWriterFilter (4/12) 01-11:56:50.379 [https-jsse-nio-8443-exec-5] TRACE o.s.s.w.FilterChainProxy.doFilter - Invoking CsrfFilter (5/12) **01-11:56:50.386 [https-jsse-nio-8443-exec-5] DEBUG o.s.s.w.c.CsrfFilter.doFilterInternal - Invalid CSRF token found for https://server:8443/testaccess-1.0.0/hello 01-11:56:50.387 [https-jsse-nio-8443-exec-5] DEBUG o.s.s.w.a.AccessDeniedHandlerImpl.handle - Responding with 403 status code
**

POST requests require CSRF thanks to spring security and non-Vaadin related calls.

You need to ignore the csrf for your POST request. I think that should work (in your SecurityConfiguration)

@Override
        protected void configure(HttpSecurity http) throws Exception {
            http.csrf(
                    (requests) -> requests.ignoringRequestMatchers(
                            new RequestMatcher[]{
                                    new AntPathRequestMatcher("/api/xxx", "POST")
                            }
                    )
            );
            super.configure(http);
            ...
        }

`@Override
protected void configure(HttpSecurity http) throws Exception {
MLOGGER.info("Configuring HTTP Security … ");
http.csrf((csrf) → csrf.disable());

    http.authorizeHttpRequests(authorize -> authorize
            .requestMatchers(new AntPathRequestMatcher("/hello")).permitAll());
 
    http.authorizeHttpRequests(
            authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/images/*.png")).permitAll());

    // Icons from the line-awesome addon
    http.authorizeHttpRequests(authorize -> authorize
            .requestMatchers(new AntPathRequestMatcher("/line-awesome/**/*.svg")).permitAll());

    super.configure(http);
    setLoginView(http, LoginView.class);
}`

Sorry I am not used to Discord. I meant to say that the above is currnetly in my SecurityConfiguration.jara . I disabbled CSRF but that has no affect. I will try it your way and see what happens.

Your call has to be after super.configure

That has certainly helped. Thank you. I am now getting past the CSRF check in Spring but what appears to be happening is that my POST request is arriving and when the request is being routed to the view the parameter is lost or not passed on. I have attached a log file from the application that shows the parameter “payRequest” is present and has the JSON structure {“sid”:“000000”} when the POST request arrives but when the request is routed to the view in this case the “helloWorld” class, the payRequest is NULL. I uploaded the log file from the application

testaccess.log (32 KB)

Wait… are we talking about a Vaadin based View / Route?

Yes, the helloWorld view is annotated with @Route and also @AnonymousAllowed and it is configured to accept POST parameters using the afterNavigation method.

Nope that’s impossible

What I see from the logs is that the POST request arrives and next the log is talking about securing 01-17:35:53.574 [https-jsse-nio-8443-exec-23] DEBUG o.s.s.w.FilterChainProxy.doFilterInternal - Securing GET /?v-r=init&location=hello&query=

What is impossible ?

Vaadin’s view do not support POST

Is this something new in Vaadin 24 because I am porting a Vaadin 14 application where this works

Only thing that comes to mind that could interfere somehow with this in the client side router added in Vaadin 15… how did you access the POST params? From the HttpRequest? As far as I know it was never supported, not in 8, 10, 14 or above

` MLOGGER.info("Original Location = " + location.getPathWithQueryParameters());
QueryParameters queryParameters = location.getQueryParameters();

    if (queryParameters != null) {
        MLOGGER.info("queryParameters is NOT null .... ");
        Map<String, List<String>> parametersMap = queryParameters.getParameters();
        if (parametersMap != null) {
            MLOGGER.info("parametersMap is NOT null .... " + parametersMap.size());
            parametersMap.forEach((key, value) -> MLOGGER.info(key + ":" + value));
            List<String> payRequest = parametersMap.get("payRequest");
            if (payRequest != null) {
                MLOGGER.info("payRequest is NOT null .... ");
                MLOGGER.info("JSON Payment Request: " + payRequest.get(0));
                boolean lProcessJsonSuccess = false;
                try {
                    lProcessJsonSuccess = processRequest(payRequest.get(0));
                } catch (JsonParameterException me) {
                    MLOGGER.error("Json Parameter Exception while processing the JSON request: " + me.getMessage());
                }
                if (lProcessJsonSuccess) {
                    proceedWithPaymentRequest();
                } else {
                    event.rerouteToError(AccessDeniedException.class);
                }
            } else {
                MLOGGER.warn("payRequest IS null  ");
            }
        } else {
            MLOGGER.warn("parametersMap IS null .... ");
        }
    } else {
        MLOGGER.warn("queryParameters IS null .... ");
    }
}

`

Those support only GET params :sweat_smile: you should probably create an issue in the flow GitHub repo… so that the team can investigate with a reproduce able example that worked in v14 and is not working anymore. I personally can’t believe it worked in v14

This is how the request is built