Hello,
looking at this documentation https://vaadin.com/docs/latest/hilla/guides/security/spring-stateless, I’m trying to configure a stateless authentication, with a SecretKeySpec using JwsAlgorithms.RS256 algorithm.
Here is my SecurityConfig :
@EnableWebSecurity
@Configuration
public class SecurityConfig extends VaadinWebSecurity {
@Value("${my.app.auth.secret}")
private String authSecret;
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
// Disable creating and using sessions in Spring Security
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
// Register your login view to the view access checker mechanism
setLoginView(http, "/login");
// Enable stateless authentication
setStatelessAuthentication(http,
new SecretKeySpec(Base64.getDecoder().decode(authSecret),
JwsAlgorithms.RS256),
"com.example.application"
);
}
}
However, this is failing on runtime because VaadinStatelessSecurityConfigurer accept only secretkeys with org.springframework.security.oauth2.jose.jws.MacAlgorithm (restricted to “HS256”, “HS384”, “HS512”), and not with org.springframework.security.oauth2.jose.jws.SignatureAlgorithm. Is there a reason about that ?
public VaadinStatelessSecurityConfigurer<H>.SecretKeyConfigurer secretKey(SecretKey secretKey) {
this.secretKey = secretKey;
if (this.jwsAlgorithm == null) {
this.jwsAlgorithm = **MacAlgorithm.from(secretKey.getAlgorithm())**;
}
return this;
}
Thank you !