Vaadin 14 tomcat deploy shows only white page

Hi all,

I have a problem with the deployment of my Vaadin 14 (14.0.16) application on tomcat.
The project is based on the bakery-app, so it’s a spring boot application. On localhost during development everything worked perfectly fine.

Now I wanted to install the war file on my tomcat application server. The application starts, there are no errors in the logfile.

But when I enter the page it only shows a white page. The favicon and the browser tab title are shown, and I see the loading indicator - but no content (e.g. login mask).

Any idea? Any hint?

Here the log output:

31-Jan-2020 09:15:51.542 INFO [main]
 org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]

31-Jan-2020 09:15:51.542 INFO [main]
 org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/9.0.2
31-Jan-2020 09:15:51.585 INFO [main]
 org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive 
[/opt/tomcat/webapps/ROOT.war]
31-Jan-2020 09:15:59.479 INFO [main]
 org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
09:16:00.048 [main]
 DEBUG com.vaadin.flow.server.startup.DevModeInitializer - Skipping DEV MODE because PRODUCTION MODE is set.

. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.2.4.RELEASE)

2020-01-31 09:16:02.813 INFO 6017 --- [ main]
 c.h.myproject.ui.v14.MyprojectApplication : Starting Myprojectplication v0.6.3 on node21111-myproject-administration.hidora.com with PID 6017 (/opt/tomcat/webapps/ROOT/WEB-INF/classes started by tomcat in /opt/tomcat/temp)
2020-01-31 09:16:02.846 INFO 6017 --- [ main]
 c.h.myproject.ui.v14.MyprojectApplication : No active profile set, falling back to default profiles: default
2020-01-31 09:16:05.574 INFO 6017 --- [ main]
 .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2020-01-31 09:16:05.826 INFO 6017 --- [ main]
 .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 234ms. Found 6 JPA repository interfaces.
2020-01-31 09:16:07.745 INFO 6017 --- [ main]
 trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration]
 is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2020-01-31 09:16:07.794 INFO 6017 --- [ main]
 o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 4749 ms
Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
2020-01-31 09:16:08.715 INFO 6017 --- [ main]
 o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]

2020-01-31 09:16:08.878 INFO 6017 --- [ main]
 org.hibernate.Version : HHH000412: Hibernate Core {5.4.10.Final}
2020-01-31 09:16:09.120 INFO 6017 --- [ main]
 o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.0.Final}
2020-01-31 09:16:09.380 INFO 6017 --- [ main]
 com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2020-01-31 09:16:09.385 WARN 6017 --- [ main]
 com.zaxxer.hikari.util.DriverDataSource : Registered driver with driverClassName=com.mysql.jdbc.Driver was not found, trying direct instantiation.
2020-01-31 09:16:10.258 INFO 6017 --- [ main]
 com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed.
2020-01-31 09:16:10.305 INFO 6017 --- [ main]
 org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect
2020-01-31 09:16:12.715 INFO 6017 --- [ main]
 o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]

2020-01-31 09:16:12.742 INFO 6017 --- [ main]
 j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2020-01-31 09:16:14.050 WARN 6017 --- [ main]
 JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning
2020-01-31 09:16:14.944 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/VAADIN/**']
, []
2020-01-31 09:16:14.945 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/favicon.ico']
, []
2020-01-31 09:16:14.945 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/robots.txt']
, []
2020-01-31 09:16:14.947 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/manifest.webmanifest']
, []
2020-01-31 09:16:14.947 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/sw.js']
, []
2020-01-31 09:16:14.947 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/offline-page.html']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/icons/**']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/images/**']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/frontend/**']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/webjars/**']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/console/**']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/frontend-es5/**']
, []
2020-01-31 09:16:14.948 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: Ant [pattern='/frontend-es6/**']
, []
2020-01-31 09:16:14.995 INFO 6017 --- [ main]
 o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: any request, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@4167d831, org.springframework.security.web.context.SecurityContextPersistenceFilter@40d572d3, org.springframework.security.web.header.HeaderWriterFilter@32a66b4e, org.springframework.security.web.authentication.logout.LogoutFilter@47b0bffc, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@325ca461, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@79a290ff, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7c55bf8d, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@16cf13d0, org.springframework.security.web.session.SessionManagementFilter@352904d5, org.springframework.security.web.access.ExceptionTranslationFilter@22bd93ab, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@379327f3]

2020-01-31 09:16:16.373 INFO 6017 --- [ main]
 o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2020-01-31 09:16:16.957 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereHandler com.vaadin.flow.server.communication.PushAtmosphereHandler mapped to context-path: /*
2020-01-31 09:16:16.964 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed the following AtmosphereInterceptor mapped to AtmosphereHandler com.vaadin.flow.server.communication.PushAtmosphereHandler
2020-01-31 09:16:16.997 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Atmosphere is using org.atmosphere.util.VoidAnnotationProcessor for processing annotation
2020-01-31 09:16:17.074 INFO 6017 --- [ main]
 org.atmosphere.util.ForkJoinPool : Using ForkJoinPool java.util.concurrent.ForkJoinPool. Set the org.atmosphere.cpr.broadcaster.maxAsyncWriteThreads to -1 to fully use its power.
2020-01-31 09:16:17.084 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed WebSocketProtocol org.atmosphere.websocket.protocol.SimpleHttpProtocol
2020-01-31 09:16:17.094 INFO 6017 --- [ main]
 o.a.container.JSR356AsyncSupport : JSR 356 Mapping path /vaadinServlet
2020-01-31 09:16:17.114 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installing Default AtmosphereInterceptors
2020-01-31 09:16:17.114 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.CorsInterceptor : CORS Interceptor Support
2020-01-31 09:16:17.114 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.CacheHeadersInterceptor : Default Response's Headers Interceptor
2020-01-31 09:16:17.140 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.PaddingAtmosphereInterceptor : Browser Padding Interceptor Support
2020-01-31 09:16:17.142 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.AndroidAtmosphereInterceptor : Android Interceptor Support
2020-01-31 09:16:17.142 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Dropping Interceptor org.atmosphere.interceptor.HeartbeatInterceptor
2020-01-31 09:16:17.144 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.SSEAtmosphereInterceptor : SSE Interceptor Support
2020-01-31 09:16:17.144 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.JSONPAtmosphereInterceptor : JSONP Interceptor Support
2020-01-31 09:16:17.146 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.JavaScriptProtocol : Atmosphere JavaScript Protocol
2020-01-31 09:16:17.146 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.WebSocketMessageSuspendInterceptor : org.atmosphere.interceptor.WebSocketMessageSuspendInterceptor
2020-01-31 09:16:17.146 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.OnDisconnectInterceptor : Browser disconnection detection
2020-01-31 09:16:17.147 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : org.atmosphere.interceptor.IdleResourceInterceptor : org.atmosphere.interceptor.IdleResourceInterceptor
2020-01-31 09:16:17.147 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Set org.atmosphere.cpr.AtmosphereInterceptor.disableDefaults to disable them.
2020-01-31 09:16:17.147 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor CORS Interceptor Support with priority FIRST_BEFORE_DEFAULT
2020-01-31 09:16:17.153 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor Default Response's Headers Interceptor with priority AFTER_DEFAULT
2020-01-31 09:16:17.154 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor Browser Padding Interceptor Support with priority AFTER_DEFAULT
2020-01-31 09:16:17.154 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor Android Interceptor Support with priority AFTER_DEFAULT
2020-01-31 09:16:17.154 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor SSE Interceptor Support with priority AFTER_DEFAULT
2020-01-31 09:16:17.156 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor JSONP Interceptor Support with priority AFTER_DEFAULT
2020-01-31 09:16:17.156 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor Atmosphere JavaScript Protocol with priority AFTER_DEFAULT
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor org.atmosphere.interceptor.WebSocketMessageSuspendInterceptor with priority AFTER_DEFAULT
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor Browser disconnection detection with priority AFTER_DEFAULT
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor org.atmosphere.interceptor.IdleResourceInterceptor with priority BEFORE_DEFAULT
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Using EndpointMapper class org.atmosphere.util.DefaultEndpointMapper
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Using BroadcasterCache: org.atmosphere.cache.UUIDBroadcasterCache
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Default Broadcaster Class: org.atmosphere.cpr.DefaultBroadcaster
2020-01-31 09:16:17.157 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Broadcaster Shared List Resources: false
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Broadcaster Polling Wait Time 100
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Shared ExecutorService supported: true
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Messaging ExecutorService Pool Size unavailable - Not instance of ThreadPoolExecutor
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Async I/O Thread Pool Size: 200
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Using BroadcasterFactory: org.atmosphere.cpr.DefaultBroadcasterFactory
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Using AtmosphereResurceFactory: org.atmosphere.cpr.DefaultAtmosphereResourceFactory
2020-01-31 09:16:17.158 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Using WebSocketProcessor: org.atmosphere.websocket.DefaultWebSocketProcessor
2020-01-31 09:16:17.162 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Invoke AtmosphereInterceptor on WebSocket message true
2020-01-31 09:16:17.163 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : HttpSession supported: true
2020-01-31 09:16:17.167 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Atmosphere is using DefaultAtmosphereObjectFactory for dependency injection and object creation
2020-01-31 09:16:17.168 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Atmosphere is using async support: org.atmosphere.container.JSR356AsyncSupport running under container: Apache Tomcat/9.0.2 using javax.servlet/3.0 and jsr356/WebSocket API
2020-01-31 09:16:17.168 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Atmosphere Framework 2.4.30.slf4jvaadin1 started.
2020-01-31 09:16:17.174 INFO 6017 --- [ main]
 org.atmosphere.cpr.AtmosphereFramework : Installed AtmosphereInterceptor Track Message Size Interceptor using | with priority BEFORE_DEFAULT
2020-01-31 09:16:17.193 INFO 6017 --- [ main]
 c.h.myproject.ui.v14.MyprojectApplication : Started MyprojectApplication in 16.509 seconds (JVM running for 27.374)
2020-01-31 09:16:17.259 INFO 6017 --- [ main]
 c.v.flow.server.startup.ServletDeployer : Skipping automatic servlet registration because there is already a Vaadin servlet with the name springServlet
2020-01-31 09:16:17.260 WARN 6017 --- [ main]
 c.v.f.s.c.JSR356WebsocketInitializer : Atmosphere already initialized
31-Jan-2020 09:16:17.999 INFO [main]
 org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive 
[/opt/tomcat/webapps/ROOT.war] has finished in [26,412]
 ms
31-Jan-2020 09:16:18.002 INFO [main]
 org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-80"]

31-Jan-2020 09:16:18.010 INFO [main]
 org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]

31-Jan-2020 09:16:18.012 INFO [main]
 org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]

31-Jan-2020 09:16:18.015 INFO [main]
 org.apache.catalina.startup.Catalina.start Server startup in 26530 ms

Thanks and regards,
Marcel

Could it be that you didn’t configure the spring security configuration to [let through vaadin internal requests]
(https://stackoverflow.com/a/59527716/3441504)? There could be other reasons, but this is one of them. Could you share your Login View, and your spring security configuration?

I think the spring security config should be fine, but I’d appreciate if you could have a look at it:

package com.hallmann.myproject.ui.v14.security;

import com.hallmann.myproject.backend.service.ServiceConfiguration;
import com.hallmann.myproject.ui.v14.views.LandingPage;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

@Configuration
@EnableWebSecurity
@Import(ServiceConfiguration.class)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    private static final String LOGIN_PROCESSING_URL = "/login";
    private static final String LOGIN_FAILURE_URL = "/login?error";
    private static final String LOGIN_URL = "/login";
    private static final String LOGOUT_SUCCESS_URL = "/" + LandingPage.ROUTE;

    private final UserDetailsService userDetailsService; 

    @Autowired
    public SecurityConfiguration(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    /**
     * The password encoder to use when encrypting passwords.
     */
    @Bean
    PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    /**
     * Registers our UserDetailsService and the password encoder to be used on login attempts.
     */
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    /**
     * Require login to access internal pages and configure login form.
     */
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // needed for h2-console
        http.headers().frameOptions().disable();
        // Not using Spring CSRF here to be able to use plain HTML for the login page
        http.csrf().disable()
                // Register our CustomRequestCache, that saves unauthorized access attempts, so
                // the user is redirected after login.
                .requestCache().requestCache(new CustomRequestCache())

                // Restrict access to our application.
                .and().authorizeRequests()

                // Allow all flow internal requests.
                .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()

                // Allow all requests by logged in users.
                .anyRequest().authenticated()

                // Configure the login page.
                .and().formLogin().loginPage(LOGIN_URL).permitAll().loginProcessingUrl(LOGIN_PROCESSING_URL)
                .failureUrl(LOGIN_FAILURE_URL)

                // Register the success handler that redirects users to the page they last tried
                // to access
                .successHandler(new SavedRequestAwareAuthenticationSuccessHandler())

                // Configure logout
                .and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
    }

    /**
     * Allows access to static resources, bypassing Spring security.
     */
    @Override
    public void configure(WebSecurity web) {
        web.ignoring().antMatchers(
                // Vaadin Flow static resources
                "/VAADIN/**",

                // the standard favicon URI
                "/favicon.ico",

                // the robots exclusion standard
                "/robots.txt",

                // web application manifest
                "/manifest.webmanifest",
                "/sw.js",
                "/offline-page.html",

                // icons and images
                "/icons/**",
                "/images/**",

                // (development mode) static resources
                "/frontend/**",

                // (development mode) webjars
                "/webjars/**",

                // (development mode) H2 debugging console
                "/console/**",

                // (production mode) static resources
                "/frontend-es5/**", "/frontend-es6/**");
    }
}

And the login page:

package com.hallmann.myproject.ui.v14.views.login;

import com.hallmann.myproject.ui.v14.security.SecurityUtils;
import com.hallmann.myproject.ui.v14.views.manageclients.ManageClientsView;
import com.vaadin.flow.component.dependency.JsModule;
import com.vaadin.flow.component.login.LoginI18n;
import com.vaadin.flow.component.login.LoginOverlay;
import com.vaadin.flow.component.page.Viewport;
import com.vaadin.flow.router.*;

import static com.hallmann.myproject.ui.v14.component.Components.VIEWPORT;

@Route
@PageTitle("Myproject Administration")
@JsModule("./styles/shared-styles.js")
@Viewport(VIEWPORT)
public class LoginView extends LoginOverlay implements AfterNavigationObserver, BeforeEnterObserver {

    public LoginView() {
        LoginI18n i18n = LoginI18n.createDefault();
        i18n.setHeader(new LoginI18n.Header());
        i18n.setAdditionalInformation(null);
        i18n.setForm(new LoginI18n.Form());
        i18n.getForm().setSubmit("Login");
        i18n.getForm().setTitle("Login");
        i18n.getForm().setUsername("Username");
        i18n.getForm().setPassword("Password");
        setI18n(i18n);
        setForgotPasswordButtonVisible(false);
        setAction("login");

    }

    @Override
    public void beforeEnter(BeforeEnterEvent event) {
        if (SecurityUtils.isUserLoggedIn()) {
            event.forwardTo(ManageClientsView.class);
        } else {
            setOpened(true);
        }
    }

    @Override
    public void afterNavigation(AfterNavigationEvent event) {
        setError(event.getLocation().getQueryParameters().getParameters().containsKey("error"));
    }
}

Yes the security conf looks fine. I’m not sure if you can let the LoginView extend LoginOverlay, it’s possible that it works but I have never seen it before. Can you try this for your LoginView?

@Route
@PageTitle("Myproject Administration")
@JsModule("./styles/shared-styles.js")
@Viewport(VIEWPORT)
public class LoginView extends VerticalLayout implements AfterNavigationObserver, BeforeEnterObserver {
	
	private LoginOverlay loginOverlay = new LoginOverlay();

    public LoginView() {
        LoginI18n i18n = LoginI18n.createDefault();
        i18n.setHeader(new LoginI18n.Header());
        i18n.setAdditionalInformation(null);
        i18n.setForm(new LoginI18n.Form());
        i18n.getForm().setSubmit("Login");
        i18n.getForm().setTitle("Login");
        i18n.getForm().setUsername("Username");
        i18n.getForm().setPassword("Password");
        loginOverlay.setI18n(i18n);
        loginOverlay.setForgotPasswordButtonVisible(false);
        loginOverlay.setAction("login");
    }

    @Override
    public void beforeEnter(BeforeEnterEvent event) {
        if (SecurityUtils.isUserLoggedIn()) {
            event.forwardTo(ManageClientsView.class);
        } else {
            loginOverlay.setOpened(true);
        }
    }

    @Override
    public void afterNavigation(AfterNavigationEvent event) {
        loginOverlay.setError(event.getLocation().getQueryParameters().getParameters().containsKey("error"));
    }
}

Edit: I actually don’t believe this was the issue, as it apparently worked for you while developing locally. If this does not solve your issue, I’m afraid I cannot help you further and I hope you receive support of vaadin employees or other knowledgeable vaadiners.

Unfortunately with your variant it’s the same.
At the moment I think it’s an issue with the packaging