Vaadin 24 and Spring Security with OAuth

quick-zorse · March 10, 2023, 7:50pm

I tried upgrading from Vaadin 23 → 24 but ran into an issue with login via OAuth (Auth0). It was working in Vaadin 23.3.0 (Spring Boot 2.7.5). The issue is that I don’t get authenticated (Access denied) and can not see the routes, except for for the HEALTH_URL which has permitAll().

Any idea of what can cause this?

Here’s the SecurityConfiguration:

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {

  private static final String LOGIN_URL = "/oauth2/authorization/auth0";
  private static final String LOGOUT_URL = "/logout";
  private static final String HEALTH_URL = "/actuator/health";

  private LogoutHandler logoutHandler;

  public SecurityConfiguration(LogoutHandler logoutHandler) {
    this.logoutHandler = logoutHandler;
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests().requestMatchers(HEALTH_URL).permitAll();
    super.configure(http);
    http.oauth2Login().loginPage(LOGIN_URL).permitAll().and().logout()
        .logoutRequestMatcher(new AntPathRequestMatcher(LOGOUT_URL))
        .addLogoutHandler(logoutHandler);
  }
}

quick-zorse · March 10, 2023, 7:51pm

Vaadin 24 and Spring Security with OAuth

quirky-zebra · March 10, 2023, 7:59pm

Sounds more like a Spring Boot / Security thing. Vaadin doesn’t interfere with oauth2 in any way. You probably have to enable spring security debug Logging to find the cause, I had similar Problems with SB 3 and had to change my yml

quick-zorse · March 11, 2023, 8:15pm

It was a mistake in migration from Java 11 → Java 17, the @PermitAll was still referring to the javax package, it must be from import jakarta.annotation.security.PermitAll;