REST API next to Vaadin

General
7

@marcoc_753

You mean this way:

For Frontend:

public class SecurityConfigFrontend extends VaadinWebSecurity {
    @Value("${JWT_AUTH_KEY}")
    private String JWT_AUTH_KEY;

    @Autowired
    private UserDetailsService userDetailsService;

    private static final String[] PUBLIC_ENDPOINTS = {
            "/images/*",
            "/application/health/**",
            "/swagger-ui/**",
            "/v3/**",
            "/css/**",
            "/js/**",
            "/font-awesome/**",
            "/img/**",
            "/fonts/**"
    };

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
                        .requestMatchers(Arrays.stream(PUBLIC_ENDPOINTS)
                                .map(path -> AntPathRequestMatcher.antMatcher(HttpMethod.GET, path))
                                .toArray(AntPathRequestMatcher[]::new)).permitAll()
                    )
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .csrf(csrf -> csrf.disable())
                .cors(withDefaults())
                .addFilterBefore(new JwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

        super.configure(http);
        setLoginView(http, LoginView.class);
        setStatelessAuthentication(http, new SecretKeySpec(Base64.getDecoder().decode(JWT_AUTH_KEY), JwsAlgorithms.HS256), "aaa.wp", 86400);
    }

    @Bean("authProvider")
    public DaoAuthenticationProvider authProvider() {
        DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
        authProvider.setUserDetailsService(userDetailsService);
        authProvider.setPasswordEncoder(encoder());
        return authProvider;
    }

    @Bean(name = "encoder")
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }
}

For API Requests:

@Configuration
public class SecurityConfigAPI {

    @Bean
    @Order(1)
    public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
        http
                .securityMatcher("/api/**") // Nur für API
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/api/auth/token").permitAll()
                        .requestMatchers("/api/**").authenticated()
                )
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .csrf(csrf -> csrf.disable())
                .cors(withDefaults())
                .formLogin(AbstractHttpConfigurer::disable) // WICHTIG: Form-Login deaktivieren
                .addFilterBefore(new JwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);

        return http.build();
    }
}

Works well on a first test and makes it more maintainable, thank you