Securing the root view (AppLayout)

Robert_Paul · January 23, 2025, 1:20pm

I’ve setup security on V24.5.4 using the Spring security integration/VaadinWebSecurity

and have most of it working as expected. It jumps to Login page when not authenticated, and respects the Annotations on each of the routed views, according to the Roles, however
I have an issue with the root view.

By default, all views require authentication with the exception of the login screen, which has a
@AnonymousAllowed

So this blocks access to root, however when I am logged in, I am still blocked from the root page, regardless of what Annotation I place on it.
It throws back the standard (dev mode) error page:


Reason: Consider adding one of the following annotations to make the view accessible: @AnonymousAllowed, @PermitAll, @RolesAllowed.

Available routes:

* [<root>](http://localhost:8080/)

I tried placing various Annotation on the main layout class (extending AppLayout) but I suspect this isn’t a regular View class so security annotations are not read here??

As this page builds itself in code (Building the navbar and draw) I can’t see where an annotation can be placed for the page. I’d rather no go into checking the authContext for roles etc as everywhere else in the app its using Annotation, so I’d like to keep it consistent.

Can anyone point me to how the root page is meant to be Annotated for access control please?

My Security config looks like this:

@Configuration
@EnableWebSecurity
class SecurityConfiguration(
    @Autowired val userDetailsService: SITUserDetailsManager
) : VaadinWebSecurity() {

    @Throws(Exception::class)
    override fun configure(http: HttpSecurity) {
        // ensure login is public
        http.authorizeHttpRequests { auth -> auth.requestMatchers(AntPathRequestMatcher("/login")).permitAll() }

        // Set custom details service to map SIT Users in DB into spring UserDetails
        http.userDetailsService(userDetailsService)
        http.formLogin { auth -> auth.successForwardUrl("/exploitatie") }
        super.configure(http)

        // This is important to register your login view to the
        // navigation access control mechanism:
        setLoginView(http, LoginView::class.java)
    }
}```

knoobie · January 23, 2025, 1:41pm

A crucial piece of information is missing: your Route (root) page

Robert_Paul · January 23, 2025, 1:47pm

Agreed. I tried to edit my post earlier to add that however the site is blocking me from doing so, claiming “new users can only mention 2 people”. what ever that means.

The page looks like this:


@JsModule("@vaadin/vaadin-lumo-styles/presets/compact.js") // Triggers a more compact overall style.
class MainLayout(
    @Autowired private val authContext: AuthenticationContext,
    @Autowired private val uiService: UIService
) : AppLayout() {


    init {
        primarySection = Section.NAVBAR
        if (authContext.isAuthenticated) {
            addNavbarContent()
            addDrawerContent()
        }
    }

    private fun addNavbarContent() {
        val header = createHeader()
        addToNavbar(false, header)
    }

    private fun createHeader(): Header {
        val header = Header()
        header.add(createHeaderLayout())
        header.setWidthFull()
        return header
    }

knoobie · January 23, 2025, 2:49pm

That’s not a Route - this is your Layout. Do you have a class annotated with @Route(“”)?

Robert_Paul · January 23, 2025, 3:10pm

Ah, Thanks Christian. I’ve missed that. I’d assumed the AppLayout was the root.
I don’t have a @Route tag with no name as you mentioned. The app just default to the root layout. Where would you usually place such a tag if the default root is that AppLayout?

knoobie · January 23, 2025, 3:42pm

This feels wrong. That sounds like your AppLayout contains way too many information. It’s normally your “outer shell” with menus and such. The content area in the center is filled with your classes annotated with “@Route” based on the URL.